Edit tour

Windows Analysis Report
HDKuOe.exe

Overview

General Information

Sample name:	HDKuOe.exe
Analysis ID:	1502271
MD5:	4ebffced85203bc1c3c5d9f3afd1045d
SHA1:	35b481018a1087dac0fb57590a57175f51783a34
SHA256:	5310a58317bf00aff0e0d9d6f2008b3389c5298b2c53513fc3ba08e887fca864
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

HDKuOe.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\HDKuOe.exe" MD5: 4EBFFCED85203BC1C3C5D9F3AFD1045D)

setup.exe (PID: 7968 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: 12F9523E0ADA8BDABC28FA142D6E56BD)

Snetchball.exe (PID: 8100 cmdline: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5820 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 4564 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 7368 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 7024 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 3896 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5184 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 3336 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 2496 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5088 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5888 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6252 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 2136 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 5084 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6316 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6928 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 676 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 3284 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 4556 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 772 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 4548 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 2520 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 4488 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 980 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

Snetchball.exe (PID: 6952 cmdline: "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" MD5: A011E4E8E7502FDFCD1C52A98392FF46)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 7968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Snetchball

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HDKuOe.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405

Multi AV Scanner detection for domain / URL

Source: http://bobisawinner.xyz/

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: HDKuOe.exe

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Snetchball\Del.exe	Joe Sandbox ML: detected

Source: HDKuOe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Snetchball

Jump to behavior

Source: HDKuOe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsa2FED.tmp.5.dr
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsa2FED.tmp.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Snetchball.exe, 00000008.00000002.2972867329.000000000537E000.00000002.00000001.01000000.0000000D.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Snetchball\Snetchball.exel.dll.dll.pdbC:\Users\user\AppData\Roaming\Snetchball\Uninstall.exechball source: setup.exe, 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Snetchball.exe, 00000008.00000002.2972867329.000000000537E000.00000002.00000001.01000000.0000000D.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000005.00000002.2886342435.0000000000539000.00000004.00000020.00020000.00000000.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000005.00000002.2886342435.0000000000539000.00000004.00000020.00020000.00000000.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Directory queried: number of queries: 1570

Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B4A
Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004066FF FindFirstFileA,FindClose,	0_2_004066FF
Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004066FF FindFirstFileA,FindClose,	5_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004027AA FindFirstFileA,	5_2_004027AA

Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: HDKuOe.exe, 00000000.00000002.2889112957.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000003.2888138233.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/
Source: HDKuOe.exe, 00000000.00000002.2889158586.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.dat
Source: HDKuOe.exe, 00000000.00000002.2889354402.00000000027A6000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.dat/SILENTgetOK
Source: HDKuOe.exe, 00000000.00000002.2889020764.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000003.2888138233.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.datData
Source: HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.data
Source: HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.datg
Source: HDKuOe.exe, 00000000.00000003.2888251595.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000002.2889112957.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bobisawinner.xyz/22/huge.datr
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/275944
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/378067
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/437891.
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/456214
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/497301
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/510270
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/514696
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/642141
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/672186).
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/717501
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/775961
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/819404
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/839189
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/932466
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crbug.com/957772
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.5.dr	String found in binary or memory: http://logging.apache.org/log4j
Source: Snetchball.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp, log4net.xml.5.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.5.dr	String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2>
Source: setup.exe, setup.exe, 00000005.00000000.2530337131.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000005.00000003.2778958716.000000000059A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmp, HDKuOe.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: HDKuOe.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sup4tsk.biz
Source: Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/).
Source: Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: Snetchball.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsa2FED.tmp.5.dr	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: log4net.xml.5.dr	String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.5.dr	String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.5.dr	String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: Snetchball.exe, 0000000C.00000002.3090930640.00000000068C1000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://accounts.google.com/
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://chrome.google.com/webstore
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: en-GB.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
Source: en-GB.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
Source: Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.5.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://codereview.chromium.org/25305002).
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://educateaasleep.pro/CkjcGX?cost=0.001235&currency=usd&external_id=853844113546814303&creative
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.rtmark.net/img.gif?f=merge
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.rtmark.net/img.gif?f=merge&userId=0080c9be9d3344acf9fbcad75cfc0dce&z=7497252&
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.rtmark.net/img.gif?f=merge&userId=0080c9be9d3344acf9fbcad75cfc0dce&z=7497252&p_rid=73af6d
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://myactivity.google.com/
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://policies.google.com/
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://raw.githubusercontent.com/rust-lang/rust/
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/7497252/?ymid=853480838656958464&var=7497251&price=
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/?z=7497252&syncedCookie=true&rhd=false
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/afu.php?zoneid=7497252&var=7497252&rid=ksX-wKK1z8yLZCaWKyzJyw%3D%3D&rhd=false&
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/async_log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=73af6dfa-4d8a-4b08
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F8D000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=73af6dfa-4d8a-4b08-99d9-
Source: Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/sftouch?userId=0080c9be9d3344acf9fbcad75cfc0dce&z=7497252&p_rid=73af6dfa-4d8a-
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp, Snetchball.exe, 00000009.00000002.2913455746.0000000004AB6000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: devtools_resources.pak.5.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.google.com/
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.google.com/cloudprint
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: nsa2FED.tmp.5.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rolltrk4.com/RQ7F4CF/41XS9P2/?sub1=2rppm6p3e9mf3

Source: C:\Users\user\Desktop\HDKuOe.exe

Code function: 0_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004055E7

Source: Snetchball.exe

Process created: 65

Source: C:\Users\user\Desktop\HDKuOe.exe

Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

0_2_100010D0

Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_004034CC

Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_00406A88	0_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_00406A88	5_2_00406A88
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 8_2_00CC4F58	8_2_00CC4F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 9_2_008E4F58	9_2_008E4F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 10_2_017F4F58	10_2_017F4F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 10_2_017F1049	10_2_017F1049
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 11_2_00A84F58	11_2_00A84F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 12_2_01314F58	12_2_01314F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 12_2_0131F660	12_2_0131F660
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 12_2_01311049	12_2_01311049
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 12_2_0131F648	12_2_0131F648
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 28_2_00FB4F58	28_2_00FB4F58
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 28_2_00FB3860	28_2_00FB3860

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll 9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD

Source: HDKuOe.exe, 00000000.00000002.2889354402.00000000027A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs HDKuOe.exe
Source: HDKuOe.exe, 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs HDKuOe.exe

Source: HDKuOe.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: Snetchball.exe.5.dr, Program.cs

Base64 encoded string: 'g9aKh48nB3kUiC1X1FnSd5o2PQd1VDfRTlOdWlq6XEV35mmTvN1jbxAei/gnFkVJ', 'Uss3SxeVoQwpPhAEZc7dx7wJi2TAFv2cgRUi4jwJCAso+kbbt/8KMJk3rBVv6DFWgVP9Am51k69cA1wdKXB1PQ==', 'PYW1iL5Wc5AMSqMHh8ZBS1tmWmbjfH9MrCM6cpKwnYZxfU4Sfg/JK0pOnHoPQS0DgnyCoBYmYDFhp5d4zthc92h9jeNSFuFFrE7HUic4OrsKBuS9j6DP349zpNuyUUgImgqL1gl+FaXo2w3tXecVFks625ZS8RT9dGKhef9dQGHrKto/OZmqMV03cu9XpHAZ0RrCbc4F2435ENEnQw0gY57wWkcNgrTyjZVzftbSkOi8xPfHk/gyIFPVGnf9iecBQQKLds++DpjlKvbpapOOZAWgYMWdPsTizFM1og+mgoJbvS030rYxWi4xZN5JJiP3dV89EK47m4NOeQXUEzToQJ0pAJSNAsU7SUNS93hqQhk95bDaAulxq8Nkuj90Hvj1UIbFNtlGp6NZk1aRSHEHcNnz9oNOIkj+ctX5V5jrWvUNQbOn2SKpM6HEci0KSmo66+FSG3fHFfG2BQLQXwn/4dvIS4SH6V0ZsAuJ80YGLYDRMCxQ70+P1PiGpZdNXAKdtUUcNiDVPyUgkKiXbGg7KbSazxHIVHtYw47TktCrxc4gXklh2O/tdOud6oRps9T/SPXN6EkbJlCmjNrqbl6OctAtF9briZQCINqOxL/dNhLOAWk+6n7f/0ScVwRzpvjGODmUVBZ0x4Gjw1UNOIsFSR+efoaWJ5roK/iAXZeb2IawWUKgSipFuT+Ugfcne1UHWQTr39Vbz5N/sBFIgh6A+XNrtxW4xaJAM9ALUST+9j7oUyXqYq0aAR7EhH+FsZ+8BpwxvIFoATKdy63yuwPZsoBT7iYPB9PbdJw7qG72h5FwXbrLCc35D2/lUyN+kwi3', 'zH/0yNxtLulHKr6sKpDAmx8OZpBHLAPnNcvmRH+BjQ6GwMRuHz9bgyt0e3ag8nINiBDgkmhyVxsTsV6DItWVJFG6BUTCwsJTwDh6GIfZqz1qmYjt6UEv2WTRfI73WKo56dU4JMcdL3oL9mrhd4W6dDGm+od8gjMbP4CaHRoFxIUUG4AfUkF8aT5BWHULhL5thspF64GpCl57eQdc8seXHpKXmoxs6FLBRr14sZ6jNmBymVvgkSM1QK4Bu/q6BjAqwZjPCUc/SDdUOV85FILfrSgwcq6/06+dviHcEJtXA4iDhxsGrI51llQdCofIDQ5WK5lJ0xRIczpFZ19uJFQZtEvD71pbSxcZRdcCdHHY5CGr55FmNX3X/xU4ph46cgYAedJ7gQn84INWNW64sksRY50JzoCV+XK1+FGcgwx50GoVdcHBiaZVzjCkJ6HzNlG3fUjUetNCqZyOzNVfg/ETmC3T5k4/P83+SvDijqffUQ76pmP53fDwShrebqEG/tDBO1ZHJCx1fKh7lpq2wlCWVraE7fvDw9cZtx3u/QL19nb5LJWkTmvRG1keVFRPoPdDTQlGKpljAOqEVas8vQbjY/02Qmd5vU+xHnMeiNermGQKSstOaYL9oTT0HU0IoxuC9YBXJToMBlNY4bOLjZ6yaiWFqZ2hj22Bi0htm95GI8A=', 'mL0/FtYaW45VeC9KlWlknH0bvFqV/YhrUz7ZFJy4Q9QSfQ/e8vVhcTvEOD7XK1/pS0nLBK5MrtZqEFthkXlXjjVzon+IwnCqx0QPb7KJzqKBVBzzM0lAG0Ro0riizB8qHs38ozt3/RmVAdiQ/B6LoIE4q2GIGC+ZeywMn0z87onwZWKN9prEXEigCHeLVQHHyI1sR+8xS29U/u0OANCKD9eXwqq3M/HM/mgwidx2LfRog6kZ3loD/fDS+PdhmnFQHTQN8zV2PY2UfnwEAhRjhH/whgxFuXzC/A77DRtZtLDCKOgScJHyjAlP8GwoFaZKjV9TLOQ/Sg2k9zTTB6ZMPQ==', 'udixq7zVeJr5B325phtjkiBO/zIBsKR79chIvzMjCJ/xede5YVSCzExMsQCRgXKh', 'gLDOlkamN/rAvcRz/ps3Nw4nDBmnMYtjcsVFbLVGo1LgDRhMoX9JyX7Op9akPqVv', 'NZmxEv5ZMaX7WEE19Q7DdZ6iWD3jh3gi+t8OPWvGaOXbNx4bKShsGswuiuJY5GgF9lb2/CucvraRzsgmQkgyaKwv2BHa9JcdKLQNEqDecerSLoWH2lW78w+Jfji2Y3XG2wBUBMPNJbvZnt/aO44PUwFgMnzhUKkDAcLhK7mpWb/tRKZV3niRh5tD7wiTu/sJBHTFRGjQWsNJ6hLfA5kmf9aH4Nic5U/p+3MVo5/HtvT8QeHu+FLTkRaw9y5k2C8H7tzFT5ybBhy/3ixVYd/kJg==', 'mL0/FtYaW45VeC9KlWlknGn4+Q4Utql4mAv812PuixPl2D3B6/2003HU1OJkvqfPEvOBnIaYYwFbKsDEtGWEyi2qYTDe1HzJkn9fTvSEkgc=', 'U5vad5TN8bARWhoiCX0hGryleo9Gc15uKIJ4oDiCkGoDoFtZLGqhA29EjPaYE9fG', 'J+RivPYzcJT12YE5c20VDqtcnxRfrRmGSBfZadyk0fUnc33cEvmq74HHETKh8Tsk', 'm7ja1tCqHUwo/h61y6zUv4UXEuOHBn4rwnugayw6X4idnsTCk5qeJe39bDsP8wQE', 'mL0/FtYaW45VeC9KlWlknJ4XduWmKTdExOoj20g3M0OoFZGacclPhim3f6DUKgEfN1J0bGElsbk3sKX+gNlY2A==', 'mL0/FtYaW45VeC9KlWlknN7tXUQO0TqmrzzwMPpBrQ3/cwVlmVxh5BShNagD3ldW', 'qSuqIS94Mty4KSjnPmciVLdNgYzhZnwBV7P8xGcro2tfrLQxLagw4KotWhjISm2E/pQpOvU

Source: classification engine

Classification label: mal88.winEXE@276/110@0/9

Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_004034CC

Source: C:\Users\user\Desktop\HDKuOe.exe

Code function: 0_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404897

Source: C:\Users\user\Desktop\HDKuOe.exe

Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,

0_2_00402173

Source: C:\Users\user\Desktop\HDKuOe.exe

File created: C:\Users\user\AppData\Roaming\Snetchball

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Snetchball_Logs_mainLog.txt
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Snetchball_Logs_rendLog.txt

Source: C:\Users\user\Desktop\HDKuOe.exe

File created: C:\Users\user\AppData\Local\Temp\nsuFBC2.tmp

Jump to behavior

Source: HDKuOe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HDKuOe.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HDKuOe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: HDKuOe.exe

Virustotal: Detection: 14%

Source: C:\Users\user\Desktop\HDKuOe.exe

File read: C:\Users\user\Desktop\HDKuOe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HDKuOe.exe "C:\Users\user\Desktop\HDKuOe.exe"
Source: C:\Users\user\Desktop\HDKuOe.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\Desktop\HDKuOe.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.gaming.input.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Section loaded: profapi.dll

Source: C:\Users\user\Desktop\HDKuOe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Snetchball

Jump to behavior

Source: HDKuOe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsa2FED.tmp.5.dr
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsa2FED.tmp.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsa2FED.tmp.5.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Snetchball.exe, 00000008.00000002.2972867329.000000000537E000.00000002.00000001.01000000.0000000D.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Snetchball\Snetchball.exel.dll.dll.pdbC:\Users\user\AppData\Roaming\Snetchball\Uninstall.exechball source: setup.exe, 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Snetchball.exe, 00000008.00000002.2972867329.000000000537E000.00000002.00000001.01000000.0000000D.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000005.00000002.2886342435.0000000000539000.00000004.00000020.00020000.00000000.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000005.00000002.2886342435.0000000000539000.00000004.00000020.00020000.00000000.sdmp, nsa2FED.tmp.5.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp

Source: Newtonsoft.Json.dll.5.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: C:\Users\user\Desktop\HDKuOe.exe

0_2_100010D0

Source: chrome_elf.dll.5.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.5.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.5.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.5.dr	Static PE information: section name: malloc_h
Source: libEGL.dll.5.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.5.dr	Static PE information: section name: .00cfg
Source: libcef.dll.5.dr	Static PE information: section name: .00cfg
Source: libcef.dll.5.dr	Static PE information: section name: .rodata
Source: libcef.dll.5.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.5.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.5.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.5.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 8_2_00CCDC7B push esp; retf		8_2_00CCDC82
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Code function: 12_2_0131E8A9 push 500569F7h; retf		12_2_0131E8B5

Source: Ionic.Zip.dll.5.dr

Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	File created: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	File created: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	File created: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Snetchball			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Snetchball			Jump to behavior

Source: C:\Users\user\Desktop\HDKuOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HDKuOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 47C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 43C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 23A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 10C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 29B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 49B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 22C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 26E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 5260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 31A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 46F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 3150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 49E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Memory allocated: 4800000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HDKuOe.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Snetchball\libEGL.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe TID: 3796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe TID: 5800	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe TID: 6604	Thread sleep count: 34 > 30

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B4A
Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004066FF FindFirstFileA,FindClose,	0_2_004066FF
Source: C:\Users\user\Desktop\HDKuOe.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004066FF FindFirstFileA,FindClose,	5_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 5_2_004027AA FindFirstFileA,	5_2_004027AA

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: Snetchball.exe, 0000000A.00000002.2903898351.000000000163A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb"@
Source: HDKuOe.exe, 00000000.00000003.2888251595.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000003.2888330842.0000000000605000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000002.2889112957.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\HDKuOe.exe	API call chain: ExitProcess graph end node			graph_0-3465
Source: C:\Users\user\AppData\Local\Temp\setup.exe	API call chain: ExitProcess graph end node			graph_5-3648

Source: C:\Users\user\Desktop\HDKuOe.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HDKuOe.exe

0_2_100010D0

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Process created: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe "c:\users\user\appdata\roaming\snetchball\snetchball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 11_0 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.6 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\snetchball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\HDKuOe.exe

Code function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034CC

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Directory queried: number of queries: 1570

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	11 Process Injection	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HDKuOe.exe	15%	Virustotal		Browse
HDKuOe.exe	8%	ReversingLabs
HDKuOe.exe	100%	Avira	HEUR/AGEN.1359405

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	100%	Avira	HEUR/AGEN.1352426
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Snetchball\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	12%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	9%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\blowfish.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\setup.exe	9%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Snetchball\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe	8%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_43.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\libcef.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\log4net.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Snetchball\widevinecdmadapter.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape	0%	URL Reputation	safe
https://support.google.com/chrome/answer/6098869	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter	0%	URL Reputation	safe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.apache.org/licenses/LICEN	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape	0%	URL Reputation	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.html	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern	0%	URL Reputation	safe
http://www.unicode.org/copyright.html	0%	URL Reputation	safe
https://support.google.com/chrome/?p=plugin_flash	0%	URL Reputation	safe
https://www.newtonsoft.com/json	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction	0%	URL Reputation	safe
https://www.ecma-international.org/ecma-262/8.0/#sec-term	0%	Avira URL Cloud	safe
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=73af6dfa-4d8a-4b08-99d9-	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICEN	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#sec-term	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit	0%	Avira URL Cloud	safe
http://crbug.com/510270	0%	Avira URL Cloud	safe
http://crbug.com/510270	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=urCtrl$2	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.html	1%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix	0%	Virustotal		Browse
http://crbug.com/378067	0%	Virustotal		Browse
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Virustotal		Browse
http://crbug.com/378067	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=trCtrl$1	0%	Avira URL Cloud	safe
http://bobisawinner.xyz/	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence	0%	Avira URL Cloud	safe
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter	0%	Avira URL Cloud	safe
https://www.google.com/cloudprint	0%	Avira URL Cloud	safe
https://passwords.google.com	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Virustotal		Browse
http://www.iana.org/assignments/multicast-addresses	0%	Avira URL Cloud	safe
http://bobisawinner.xyz/	9%	Virustotal		Browse
https://passwords.google.com	0%	Virustotal		Browse
http://crbug.com/497301	0%	Avira URL Cloud	safe
https://github.com/JamesNK/Newtonsoft.Json/issues/652	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape	0%	Avira URL Cloud	safe
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter	0%	Virustotal		Browse
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Avira URL Cloud	safe
https://www.google.com/cloudprint	1%	Virustotal		Browse
http://crbug.com/497301	0%	Virustotal		Browse
http://www.iana.org/assignments/multicast-addresses	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape	0%	Avira URL Cloud	safe
http://crbug.com/642141	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier	0%	Virustotal		Browse
http://logging.apache.org/log4ne	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
http://bobisawinner.xyz/22/huge.dat	0%	Avira URL Cloud	safe
https://github.com/JamesNK/Newtonsoft.Json/issues/652	0%	Virustotal		Browse
http://crbug.com/642141	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape	0%	Virustotal		Browse
https://rouonixon.com/sftouch?userId=0080c9be9d3344acf9fbcad75cfc0dce&z=7497252&p_rid=73af6dfa-4d8a-	0%	Avira URL Cloud	safe
http://www.connectionstrings.com/	0%	Avira URL Cloud	safe
https://support.google.com/chromebook?p=app_intent	0%	Avira URL Cloud	safe
http://bobisawinner.xyz/22/huge.dat	3%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape	0%	Virustotal		Browse
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence	0%	Avira URL Cloud	safe
http://crbug.com/717501	0%	Avira URL Cloud	safe
http://crbug.com/957772	0%	Avira URL Cloud	safe
https://support.google.com/chromebook?p=app_intent	0%	Virustotal		Browse
http://crbug.com/839189	0%	Avira URL Cloud	safe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence	0%	Virustotal		Browse
https://chrome.google.com/webstore	0%	Avira URL Cloud	safe
http://crbug.com/839189	0%	Virustotal		Browse
http://crbug.com/717501	0%	Virustotal		Browse
http://bobisawinner.xyz/22/huge.datr	0%	Avira URL Cloud	safe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://www.rolltrk4.com/RQ7F4CF/41XS9P2/?sub1=2rppm6p3e9mf3	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.html&	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash	devtools_resources.pak.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICEN	Snetchball.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6098869	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp, log4net.xml.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-term	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=73af6dfa-4d8a-4b08-99d9-	Snetchball.exe, 0000000A.00000002.3090731551.0000000005F8D000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/510270	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=urCtrl$2	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/378067	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://photos.google.com/settings?referrer=CHROME_NTP	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=trCtrl$1	tr.pak.5.dr	false	Avira URL Cloud: safe	unknown
http://bobisawinner.xyz/	HDKuOe.exe, 00000000.00000002.2889112957.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000003.2888138233.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/cloudprint	nsa2FED.tmp.5.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.com	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
http://www.iana.org/assignments/multicast-addresses	log4net.xml.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/497301	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json/issues/652	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/642141	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4ne	Snetchball.exe	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bobisawinner.xyz/22/huge.dat	HDKuOe.exe, 00000000.00000002.2889158586.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rouonixon.com/sftouch?userId=0080c9be9d3344acf9fbcad75cfc0dce&z=7497252&p_rid=73af6dfa-4d8a-	Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
http://www.connectionstrings.com/	log4net.xml.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chromebook?p=app_intent	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence	devtools_resources.pak.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/717501	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/957772	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
http://crbug.com/839189	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore	nsa2FED.tmp.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
http://bobisawinner.xyz/22/huge.datr	HDKuOe.exe, 00000000.00000003.2888251595.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000002.2889112957.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rolltrk4.com/RQ7F4CF/41XS9P2/?sub1=2rppm6p3e9mf3	Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity	en-GB.pak.5.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	HDKuOe.exe	false	URL Reputation: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html&	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://logging.apache.org/log4j	log4net.xml.5.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlT&r	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rouonixon.com/async_log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=73af6dfa-4d8a-4b08	Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crbug.com/819404	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term	devtools_resources.pak.5.dr	false	Avira URL Cloud: safe	unknown
http://crbug.com/514696	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.3031496711.0000000005B50000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr	false	Avira URL Cloud: safe	unknown
http://bobisawinner.xyz/22/huge.dat/SILENTgetOK	HDKuOe.exe, 00000000.00000002.2889354402.00000000027A6000.00000004.00000020.00020000.00000000.sdmp, HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://educateaasleep.pro/CkjcGX?cost=0.001235&currency=usd&external_id=853844113546814303&creative	Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bobisawinner.xyz/22/huge.datg	HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	setup.exe, setup.exe, 00000005.00000000.2530337131.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000005.00000003.2778958716.000000000059A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmp, HDKuOe.exe	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ukCtrl$1	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.install-stat.debug.world/clients/installs	Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	nsa2FED.tmp.5.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative	devtools_resources.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/a/answer/9122284	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/rust-lang/rust/	devtools_resources.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits	devtools_resources.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bobisawinner.xyz/22/huge.data	HDKuOe.exe, 00000000.00000002.2889020764.0000000000578000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en-GBCtrl$1	en-GB.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=zh-CNCtrl$1	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	Snetchball.exe, Snetchball.exe, 00000009.00000002.2912966308.0000000004A72000.00000002.00000001.01000000.0000000C.sdmp, Snetchball.exe, 00000009.00000002.2913455746.0000000004AB6000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter	devtools_resources.pak.5.dr	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6258784	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
http://www.unicode.org/copyright.html	Snetchball.exe, 0000000C.00000002.3090930640.00000000068C1000.00000002.00000001.00040000.0000001D.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000005.00000002.2886956143.0000000002746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://my.rtmark.net/img.gif?f=merge	Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crbug.com/775961	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	nsa2FED.tmp.5.dr	false	URL Reputation: safe	unknown
https://rouonixon.com/?z=7497252&syncedCookie=true&rhd=false	Snetchball.exe, 0000000A.00000002.3090731551.0000000005F87000.00000004.10000000.00040000.00000000.sdmp, Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rouonixon.com/afu.php?zoneid=7497252&var=7497252&rid=ksX-wKK1z8yLZCaWKyzJyw%3D%3D&rhd=false&	Snetchball.exe, 0000000C.00000002.2908087399.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/json	nsa2FED.tmp.5.dr	false	URL Reputation: safe	unknown
https://codereview.chromium.org/25305002).	nsa2FED.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction	devtools_resources.pak.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
139.45.197.238	unknown	Netherlands	9002	RETN-ASEU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
185.117.88.231	unknown	Netherlands	42708	PORTLANEwwwportlanecomSE	false
34.149.124.125	unknown	United States	2686	ATGS-MMD-ASUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
139.45.195.8	unknown	Netherlands	9002	RETN-ASEU	false
185.117.88.39	unknown	Netherlands	42708	PORTLANEwwwportlanecomSE	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502271
Start date and time:	2024-08-31 22:20:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	HDKuOe.exe
Detection:	MAL
Classification:	mal88.winEXE@276/110@0/9
EGA Information:	Successful, ratio: 37.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 368 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target Snetchball.exe, PID 4296 because it is empty
Execution Graph export aborted for target Snetchball.exe, PID 4564 because it is empty
Execution Graph export aborted for target Snetchball.exe, PID 5820 because it is empty
Execution Graph export aborted for target Snetchball.exe, PID 6204 because it is empty
Execution Graph export aborted for target Snetchball.exe, PID 7368 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
21:23:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Snetchball C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
21:23:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Snetchball C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.45.197.238	http://rndskittytor.com	Get hash	malicious	Unknown	Browse	rndskittytor.com/favicon.ico
	http://whairtoa.com:443	Get hash	malicious	Unknown	Browse	whairtoa.com:443/
	http://deloplen.com/apu.php?zoneid=695986	Get hash	malicious	Unknown	Browse	deloplen.com/apu.php?zoneid=695986
	http://www.footybite.tv/watch/sports-hd1.htm	Get hash	malicious	Unknown	Browse	cdrvrs.com/tag.min.js
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://glaurtas.com	Get hash	malicious	Unknown	Browse	glaurtas.com/favicon.ico
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Win64.Krypt.13435.32435.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
185.117.88.231	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
185.117.88.231	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Launcher_x32_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	l5u4ezxr.u51.exe	Get hash	malicious	LummaC	Browse	104.21.69.149
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Get hash	malicious	Unknown	Browse	172.65.154.135
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	162.159.134.233
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
PORTLANEwwwportlanecomSE	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	5.254.217.95
	Requerimiento_Juridico_Proferido_N#U00b0_437361838..exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.80.9
	chrome.exe	Get hash	malicious	Unknown	Browse	46.246.120.178
	PURCHASE_ORDER.js	Get hash	malicious	AsyncRAT	Browse	46.246.14.66
	Ref_87021929821US20240709031221656.js	Get hash	malicious	Nanocore	Browse	46.246.14.67
	qZvaZQbxa5.exe	Get hash	malicious	XWorm	Browse	46.246.4.9
	WQfmuMk5HB.exe	Get hash	malicious	XWorm	Browse	46.246.4.9
	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
RETN-ASEU	http://metamasskluginn.blogspot.co.uk/	Get hash	malicious	Unknown	Browse	139.45.197.236
	3O5Uh9S6wK.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	109.94.208.20
	http://stream.crichd.vip/update/sscricket.php	Get hash	malicious	Unknown	Browse	139.45.197.236
	https://squad.cl:443/MTU0czVIMDg3ODR6OG4=	Get hash	malicious	Unknown	Browse	139.45.197.236
	hH0XORBaVy.exe	Get hash	malicious	Panda Stealer	Browse	109.94.208.20
	https://thubanoa.com/1?z=6533428	Get hash	malicious	Unknown	Browse	139.45.197.242
	http://glogopse.net	Get hash	malicious	Unknown	Browse	139.45.197.244
	https://zpr.io/CCttTX8DkxHn	Get hash	malicious	HTMLPhisher	Browse	139.45.197.250
	http://omnatuor.com	Get hash	malicious	Unknown	Browse	139.45.197.227
	http://byzoruator.com	Get hash	malicious	Unknown	Browse	139.45.197.168
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Launcher_x32_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	l5u4ezxr.u51.exe	Get hash	malicious	LummaC	Browse	104.21.69.149
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.Win64.MalwareX-gen.30136.14956.exe	Get hash	malicious	Unknown	Browse	172.65.154.135
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	162.159.134.233
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	LXbM8RbhLa.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	EiPVv5yELP.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107389293
Entropy (8bit):	7.999791995771623
Encrypted:	true
SSDEEP:	3145728:neFBulLqoMlJ6dgXfXYLN1BbPOUwvSpQQ5695E:eFBulWFX6uXfXkyvSpQQw95E
MD5:	12F9523E0ADA8BDABC28FA142D6E56BD
SHA1:	FFD3F235A31077FC78FE0D5BDE27EA82CF3A6C5A
SHA-256:	2A59EE739A940EB9AB9B8BC0DA7D30BB0A05345D35AB4B0432E817AEF7A25025
SHA-512:	323750747F2ED05D54CC8BD8C0A94596862A5E0AC17719062C96B05B8AA12F297D182298A4DC947B0BF7BBF750B2EFBBD24E3E71BB12EF238D2C1CA72D2A700A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 12%, Browse Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8.......................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa2FED.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	358428557
Entropy (8bit):	6.971520343238391
Encrypted:	false
SSDEEP:	3145728:6TzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsRV97nv:6nUs4tvaVzTD9ov
MD5:	AF7432F265CD5D3ED2676BE7FB688F96
SHA1:	31F3A588BEABC909312B8AE3C3DDB125620D07F4
SHA-256:	BD3662DB6D1C9DA6D041D8E51369556CA3A344555598763FB49414CA527BB324
SHA-512:	3AE205F50878659C6BE4C59370E7904AD21FCEA5CCC3C89603C9C4E3009E28D2899501046E8EA608D0A56D2C8E87A8B7E65D1F94422E53C630F4A72B5EB8B6A1
Malicious:	false
Preview:	........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....W..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse Filename: JuHVfiAuLo.exe, Detection: malicious, Browse Filename: LXbM8RbhLa.exe, Detection: malicious, Browse Filename: EiPVv5yELP.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\blowfish.dll

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.674611218414922
Encrypted:	false
SSDEEP:	384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
MD5:	5AFD4A9B7E69E7C6E312B2CE4040394A
SHA1:	FBD07ADB3F02F866DC3A327A86B0F319D4A94502
SHA-256:	053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
SHA-512:	F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....\|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsuFBC3.tmp

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	data
Category:	dropped
Size (bytes):	63592
Entropy (8bit):	5.452715462943859
Encrypted:	false
SSDEEP:	1536:GM53GojW/lX1Xb41AkqY3Q4Oc//////Q0La:Z53GojW/XXyv3Sc//////Q3
MD5:	B5869E31D86E4D4C1A7AF5386A959F1E
SHA1:	EF4C213F4FBE4C9560B8AA8B8C92C948B344A03A
SHA-256:	6CC79BBE8E1B2FDBAF1271B3687CA3946CE916E1BC3EB4D0BF3EBD222E3C853D
SHA-512:	30C586AF0A5F5E3F877FB6DCD2A60EE681B5D78FB1EA55621385FF45A07B8CC9AF0E5930918AC16407179638BAA6DCF8AC61ABFFFC95E72FC16A11413647E445
Malicious:	false
Preview:	X8......,........................1......~7......X8..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................L.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\Desktop\HDKuOe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107389293
Entropy (8bit):	7.999791995771623
Encrypted:	true
SSDEEP:	3145728:neFBulLqoMlJ6dgXfXYLN1BbPOUwvSpQQ5695E:eFBulWFX6uXfXkyvSpQQw95E
MD5:	12F9523E0ADA8BDABC28FA142D6E56BD
SHA1:	FFD3F235A31077FC78FE0D5BDE27EA82CF3A6C5A
SHA-256:	2A59EE739A940EB9AB9B8BC0DA7D30BB0A05345D35AB4B0432E817AEF7A25025
SHA-512:	323750747F2ED05D54CC8BD8C0A94596862A5E0AC17719062C96B05B8AA12F297D182298A4DC947B0BF7BBF750B2EFBBD24E3E71BB12EF238D2C1CA72D2A700A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8.......................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	modified
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlZmt:Ls3Zmt
MD5:	EC40FB343C8CDD163AE0E129378F1C52
SHA1:	F42FFFB8425E87FC2C12176C9790AE5DE4B602F3
SHA-256:	F5B0F51846C8DEDCF4E8602241B0BC872B89D58B1F95691FE3AF884E0CFB2E40
SHA-512:	A0313A72B5F5077D61B6335A32DED54B4A4C942202F294CC9242BE1F88F7A949C7D77FC1BCE676F9BE5985007FA458E13F535E8B95939D21DD3ED696EE61AAEF
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.400746676417616E-4
Encrypted:	false
SSDEEP:	3:LsNlRu:Ls3k
MD5:	A0481F152FB5F93C0DF3B6A4874F6887
SHA1:	D25248402A4FC747EEDF25630C421C7561363D47
SHA-256:	7BC5EF0FF20E8847D3CFFCC5DB34D6992A2260E8D41B7DEF8947CB9E644865B9
SHA-512:	B1DAB060DF8AC93AE460C5E95EDFB3CDA1F8AF9F2B5E4F90D56A0ACF0F6C0499FDD4A9BA2FAE295A193D682969E2F96AEE50F84F33FB9711CB2717581F196D05
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\Snetchball\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	360960
Entropy (8bit):	5.358170916431781
Encrypted:	false
SSDEEP:	6144:BNhml+X6KbXvpbTZhr/ZUX139gvlaNso:BNhmb8vpbVhrWX1397N
MD5:	A011E4E8E7502FDFCD1C52A98392FF46
SHA1:	7C3296FB62589AA96FD98322AB7F06D08B91D2B8
SHA-256:	609BC8857B533519F685C40D62946FD27C4A4A0A87F8B05A8A5351FCFB7F5213
SHA-512:	4C46F1B72C2CB34F3C1457EDDAB1EE3D4941CC8DFCDD29100F9C37C8F58D157BA0EFE2B6C8E1ACAB575B1D1247B73523F3273CFC4D5BB3B7DDB0BCA5CB813558
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............^.... ........@.. ....................................@.....................................O.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B................@.......H...........h............................................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...(......o....&..(....-...........o......"...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...(......o....&.._...(....-...........o...............!. A.......0..V.......(....(......,..o....-.~......o.....+...(....."...B[..o....&..(....-...........o.....*......

C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	281917
Entropy (8bit):	5.436594887642422
Encrypted:	false
SSDEEP:	3072:7Fi6z/VXzAf3ocSzwC6Y5r/ZUx9hF/arYwJEnvADppaNcuu09g4wLjo8G:7xFSuzNhr/ZUX1UDaN19ghfo8G
MD5:	F099D7DFF9C8071C6C24627AF4F43A27
SHA1:	331D5E363FF99A40A80AF0133168D304927E7578
SHA-256:	AF8BC05BE623F8FE6C423E41F84CA86089068D99EDB33824DA7C7DF39C2AB590
SHA-512:	B70EE204949641F93B4343E49A64D3106E3910E7A32E2C25330AD89FE8243880303CC777FCC79AD708BC589A3643090727D28C4FD2817FCF9CB6B5E030B92165
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8.......................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\Snetchball\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\Snetchball\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\Snetchball\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\Snetchball\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\Snetchball\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\Snetchball\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\Snetchball\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\Snetchball\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\Snetchball\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\Snetchball\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:	6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:	196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:	1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\Snetchball\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\Snetchball\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\Snetchball\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\Snetchball\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\Snetchball\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\Snetchball\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\Snetchball\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\Snetchball\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\Snetchball\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\Snetchball\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\Snetchball\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\Snetchball\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\Snetchball\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\Snetchball\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\Snetchball\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\Snetchball\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\Snetchball\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\Snetchball\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\Snetchball\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\Snetchball\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\Snetchball\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\Snetchball\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\Snetchball\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\Snetchball\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\Snetchball\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\Snetchball\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\Snetchball\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\Snetchball\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\Snetchball\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\Snetchball\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\Snetchball\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\Snetchball\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\Snetchball\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\Snetchball\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\Snetchball\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\Snetchball\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\Snetchball\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\Snetchball\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\Snetchball\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\Snetchball\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\Snetchball\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\Snetchball\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\Snetchball\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\Snetchball\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\Snetchball\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\Snetchball\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\Snetchball\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\Snetchball\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\Snetchball\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\Snetchball\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\Snetchball\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\Snetchball\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\Snetchball\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\Snetchball\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\Snetchball\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\Snetchball\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\Snetchball\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\Snetchball\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\Snetchball\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\Snetchball\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.231401845392171
Encrypted:	false
SSDEEP:
MD5:	E5115ED028681179F3E7FD7894FC72DC
SHA1:	4C90ABD5666715DFE192D140C0CBBB01B8689CFC
SHA-256:	240EA501F56EE9DDE9A771C64F9782057755EA33A90082E1BDD46537830B29F1
SHA-512:	93DACBFA668E0F138C69B4ACB19A9410AB90C10EC7AF5FA9C37BC8F24E4088A202E76452E8542E81EFF7B0A8D6F49CC736D1D6DE79A3D41D24A6F52A1D70C4D3
Malicious:	false
Preview:	start Snetchball.exe INHuMbol8

C:\Users\user\AppData\Roaming\Snetchball\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\Snetchball\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Snetchball\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.607671703383717
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HDKuOe.exe
File size:	306'019 bytes
MD5:	4ebffced85203bc1c3c5d9f3afd1045d
SHA1:	35b481018a1087dac0fb57590a57175f51783a34
SHA256:	5310a58317bf00aff0e0d9d6f2008b3389c5298b2c53513fc3ba08e887fca864
SHA512:	399315951deecf039072779a28fa536b611895cdda6fd570652ddecc6be0322973dc335169955ae0d3018a5687a18aeab45fbfbf80a2a12cdfe0b47080fe8bc8
SSDEEP:	3072:DFi6z/VXzAf3oc3J6Y5r/ZUx9hF/arYwJEn1ppaNcAu09g4brjqCtDHkLHd9g0z/:DxFSjJhr/ZUX15aNX9gm/qC50I0b
TLSH:	FF5439003920A442E5D02B320F51FA3A4FD2ACAFC6AD151EB9D9FEDB71BE1C38595716
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@

File Icon


Icon Hash:	31246d7b2d4a9974

Static PE Info

General

Entrypoint:	0x4034cc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B02 [Sat Sep 25 21:56:18 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f10e4da994053bf80c20cee985b32e29

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A130h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B0h]
mov esi, dword ptr [004080C0h]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007F53848A6641h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007F53848A662Ch
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007F53848A6624h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007F53848A6613h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007F53848A6606h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007F53848A660Ah
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x3bec8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x639f	0x6400	7224e998fe56f3bd47d63fbbb07b7c8a	False	0.6683203125	data	6.446278846973847	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1276	0x1400	f7ab432379f1255f04a3e990ba282ef1	False	0.4333984375	data	5.054263249154582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a858	0x600	8e1e6b6bb7da1113950a0aab31a168c0	False	0.4427083333333333	data	4.079691703439067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0x3bec8	0x3c000	de1d34e860de835ed011a4e53eba1ae3	False	0.46851806640625	data	5.041975713610549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x36340	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14552525730509877
RT_ICON	0x46b68	0xd643	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9810942371150936
RT_ICON	0x541b0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.20233340340550768
RT_ICON	0x5d658	0x64cf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9913201844460805
RT_ICON	0x63b28	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.2493992606284658
RT_ICON	0x68fb0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.2512990080302315
RT_ICON	0x6d1d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.316804979253112
RT_ICON	0x6f780	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3876641651031895
RT_ICON	0x70828	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.46762295081967215
RT_ICON	0x711b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5469858156028369
RT_DIALOG	0x71618	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x71820	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x71918	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x71a08	0x92	data	English	United States	0.7191780821917808
RT_MANIFEST	0x71aa0	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	16:21:46
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\HDKuOe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HDKuOe.exe"
Imagebase:	0x400000
File size:	306'019 bytes
MD5 hash:	4EBFFCED85203BC1C3C5D9F3AFD1045D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:23:05
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'389'293 bytes
MD5 hash:	12F9523E0ADA8BDABC28FA142D6E56BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 9%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:23:29
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Imagebase:	0x700000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:23:33
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2900 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Imagebase:	0xc30000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:23:33
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3192 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0x90000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:23:33
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3248 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xfa0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:23:33
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955405705 --mojo-platform-channel-handle=3420 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x190000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:23:33
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725130857939097 --launch-time-ticks=4955424672 --mojo-platform-channel-handle=3620 --field-trial-handle=2940,i,7047207659746740151,503440314847507221,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xc90000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:23:40
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x870000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	16:23:42
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x860000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	16:23:42
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xb30000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:23:42
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xdb0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	16:23:43
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x790000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	16:23:43
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xa50000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	16:23:43
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x7a0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	16:23:43
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x280000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	16:23:44
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xbc0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	16:23:44
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x4f0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	16:23:44
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xfc0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	16:23:44
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x410000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	16:23:45
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x200000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:23:45
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xda0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	16:23:45
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x400000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	16:23:45
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x760000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:23:45
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x3c0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:23:46
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x500000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	16:23:46
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x640000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	16:23:46
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x610000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	16:23:46
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xe30000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	16:23:47
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0xe90000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	16:23:47
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x860000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	16:23:47
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x9e0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	16:23:47
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x610000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	16:23:47
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x810000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	16:23:48
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x20000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	16:23:48
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe"
Imagebase:	0x5e0000
File size:	360'960 bytes
MD5 hash:	A011E4E8E7502FDFCD1C52A98392FF46
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	1451
Total number of Limit Nodes:	37

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,"C:\Users\user\Desktop\HDKuOe.exe",00000020,"C:\Users\user\Desktop\HDKuOe.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\HDKuOe.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\HDKuOe.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\HDKuOe.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\Desktop\HDKuOe.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
TEMP, xrefs: 004037E7
1033, xrefs: 00403803
", xrefs: 004036CC
.tmp, xrefs: 004038FB
~nsu, xrefs: 004038DF
A, xrefs: 0040356A
C:\Users\user\AppData\Roaming\Sketchball, xrefs: 00403787, 00403886, 0040392F, 00403939
C:\Users\user\AppData\Roaming\Snetchball\update, xrefs: 00403891
"C:\Users\user\Desktop\HDKuOe.exe", xrefs: 00403675, 0040367B, 0040382A
SeShutdownPrivilege, xrefs: 00403A0B
NSIS Error, xrefs: 00403660
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7
Error launching installer, xrefs: 0040386C
C:\Users\user\Desktop\HDKuOe.exe, xrefs: 00403996
C:\Users\user\Desktop, xrefs: 00403906, 0040390B, 00403938
Low, xrefs: 004037D5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1
TMP, xrefs: 004037EF
\Temp, xrefs: 004037B9

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\Desktop\HDKuOe.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Sketchball$C:\Users\user\AppData\Roaming\Snetchball\update$C:\Users\user\Desktop$C:\Users\user\Desktop\HDKuOe.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-4079823142
Opcode ID: d8607602e3c077556342ba5fadc775b1d1828e72ea1310baa32c0a7e59fa0962
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: d8607602e3c077556342ba5fadc775b1d1828e72ea1310baa32c0a7e59fa0962
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?), ref: 100010F2

Strings

KERNEL32.DLL, xrefs: 10001225
Process32Next, xrefs: 10001255
CreateToolhelp32Snapshot, xrefs: 10001243
NtQuerySystemInformation, xrefs: 1000113B
Process32First, xrefs: 1000124B
NTDLL.DLL, xrefs: 10001127

Memory Dump Source

Source File: 00000000.00000002.2889947865.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2889930907.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889964364.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889980692.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_HDKuOe.jbxd

Similarity

API ID: Version
String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
API String ID: 1889659487-877962304
Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405BE2
FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

\*.*, xrefs: 00405BB5
"C:\Users\user\Desktop\HDKuOe.exe", xrefs: 00405B53

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\HDKuOe.exe"$\*.*
API String ID: 2035342205-2904694823
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\HDKuOe.exe",00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,?,?,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,C:\Users\user\AppData\Roaming\Sketchball,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,"C:\Users\user\Desktop\HDKuOe.exe",00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Sketchball), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\HDKuOe.exe",00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
1033, xrefs: 00403B8E, 00403BE4
PB, xrefs: 00403B9A
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
.DEFAULT\Control Panel\International, xrefs: 00403BD4
C:\Users\user\AppData\Roaming\Sketchball, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
.exe, xrefs: 00403C6B
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
"C:\Users\user\Desktop\HDKuOe.exe", xrefs: 00403B71
RichEd20, xrefs: 00403D8B
_Nb, xrefs: 00403CE1, 00403D49
RichEdit, xrefs: 00403DB8
>B, xrefs: 00403CD4
RichEd32, xrefs: 00403D99
RichEdit20A, xrefs: 00403DA9, 00403DAF

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\HDKuOe.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Sketchball$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-1213481760
Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\HDKuOe.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HDKuOe.exe,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
Error launching installer, xrefs: 00402FAC
C:\Users\user\Desktop\HDKuOe.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
C:\Users\user\Desktop, xrefs: 00402FB7, 00402FBC, 00402FC2
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
Null, xrefs: 00403053
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
soft, xrefs: 0040304A
Inst, xrefs: 00403041
"C:\Users\user\Desktop\HDKuOe.exe", xrefs: 00402F65

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\HDKuOe.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HDKuOe.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3780857284
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\setup.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2918284280
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Snetchball\update,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Snetchball\update,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Snetchball\update, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Snetchball\update
API String ID: 1941528284-4174941891
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405995
!9@, xrefs: 00405984

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-2369717338
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Strings

UXTHEME, xrefs: 0040672F
\, xrefs: 0040674E
%s%s.dll, xrefs: 00406770

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 0-292220189
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 1092082344-292220189
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D
nsa, xrefs: 00405F55

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\, xrefs: 00403AB2

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\
API String ID: 2962429428-1546574808
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FilePointer
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 973152223-292220189
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Snetchball\update,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Snetchball\update, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Snetchball\update
API String ID: 1892508949-927936913
Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Function 00401EF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405A64: ShellExecuteExA.SHELL32(?,0040484C,?), ref: 00405A73

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Strings

C:\Users\user\AppData\Roaming\Snetchball\update, xrefs: 00401F47
@, xrefs: 00401F64

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Roaming\Snetchball\update
API String ID: 4215836453-3624877914
Opcode ID: ca5dcfe273db322cd2b1047bb711393c2fd6e1299f05b5bb146021fbefc2bce0
Instruction ID: 6aaf433614bda070767cb5ada7d625c506587397f4dc3d97d216a8830c7633e1
Opcode Fuzzy Hash: ca5dcfe273db322cd2b1047bb711393c2fd6e1299f05b5bb146021fbefc2bce0
Instruction Fuzzy Hash: 25113A75E042089ADB11EFB9DA4968DBBF4AF48304F24453AE415FB2D2DBBD88019F58

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405E5B
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BF6
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Global$AllocFree
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3394109436-630909452
Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98

Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FileRead
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 2738559852-292220189
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
GlobalFree.KERNELBASE(10003020), ref: 10001464

Memory Dump Source

Source File: 00000000.00000002.2889947865.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2889930907.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889964364.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889980692.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_HDKuOe.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22

Function 00401F7B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 1543427666-0
Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,0040FBFA,0040B8F8,00403405,0040B8F8,0040FBFA,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00406232

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725

Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B

Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 299535525-0
Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 004049F8, 004049FD, 00404A08
A, xrefs: 004049BA
C:\Users\user\AppData\Roaming\Sketchball, xrefs: 004049E7
PB, xrefs: 00404994

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Sketchball$PB
API String ID: 2624150263-1800443909
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Snetchball\update, xrefs: 00402238

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Snetchball\update
API String ID: 123533781-927936913
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

, xrefs: 004053DE
N, xrefs: 004050A5
M, xrefs: 00404FC4

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

N, xrefs: 00404701
6B, xrefs: 0040476F

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

*B, xrefs: 00406010
[Rename], xrefs: 004060D0, 004060E2
.B, xrefs: 00406044
%s=%s, xrefs: 0040605C
.B, xrefs: 0040603D

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HDKuOe.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
*?|<>/":, xrefs: 004066AE
"C:\Users\user\Desktop\HDKuOe.exe", xrefs: 00406666

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\HDKuOe.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3438618575
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6

Strings

#Vh%.@, xrefs: 00402F34
... %d%%, xrefs: 00402F1B

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

verifying installer: %d%%, xrefs: 00402E69, 00402E72
unpacking data: %d%%, xrefs: 00402E62

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
EnumWindows.USER32(10001007,?), ref: 10001074
GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
CloseHandle.KERNEL32(00000000), ref: 100010C5

Memory Dump Source

Source File: 00000000.00000002.2889947865.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2889930907.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889964364.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2889980692.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_HDKuOe.jbxd

Similarity

API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
String ID:
API String ID: 3465249596-0
Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

%u.%u%s%s, xrefs: 00404CD6
PB, xrefs: 00404CDE

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\HDKuOe.exe"), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\setup.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,?,00420530), ref: 004062C0

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3356406503-630909452
Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HDKuOe.exe,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HDKuOe.exe,C:\Users\user\Desktop\HDKuOe.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\Desktop, xrefs: 00405D61

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000000.00000002.2888492357.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2888473704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888513544.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888531846.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2888674671.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_HDKuOe.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Analysis Process: setup.exePID: 7968, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1367
Total number of Limit Nodes:	26

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403675, 0040367B, 0040382A
Low, xrefs: 004037D5
NSIS Error, xrefs: 00403660
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
C:\Users\user\AppData\Local\Temp, xrefs: 00403906, 0040390B, 00403938
\Temp, xrefs: 004037B9
Error launching installer, xrefs: 0040386C
C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00403787, 00403886, 0040392F, 00403939
~nsu, xrefs: 004038DF
1033, xrefs: 00403803
", xrefs: 004036CC
.tmp, xrefs: 004038FB
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403996
SeShutdownPrivilege, xrefs: 00403A0B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1
TEMP, xrefs: 004037E7
A, xrefs: 0040356A
C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00403891
TMP, xrefs: 004037EF

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Snetchball$C:\Users\user\AppData\Roaming\Snetchball$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-2689106871
Opcode ID: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
\*.*, xrefs: 00405BB5

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
API String ID: 2035342205-2430568624
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,?,?,?,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00000000,C:\Users\user\AppData\Roaming\Snetchball,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Snetchball), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403B71
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
.exe, xrefs: 00403C6B
RichEdit, xrefs: 00403DB8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
RichEdit20A, xrefs: 00403DA9, 00403DAF
>B, xrefs: 00403CD4
RichEd20, xrefs: 00403D8B
_Nb, xrefs: 00403CE1, 00403D49
C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
1033, xrefs: 00403B8E, 00403BE4
PB, xrefs: 00403B9A
RichEd32, xrefs: 00403D99
.DEFAULT\Control Panel\International, xrefs: 00403BD4

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Snetchball$C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-201467450
Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117

Strings

Error launching installer, xrefs: 00402FAC
Null, xrefs: 00403053
"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
soft, xrefs: 0040304A
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
Inst, xrefs: 00403041
C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1937576205
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-244135214
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,C:\Users\user\AppData\Roaming\Snetchball,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00000000,00000000,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,C:\Users\user\AppData\Roaming\Snetchball,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00401786

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\Snetchball$C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe$C:\Users\user\AppData\Roaming\Snetchball\Uninstall.exe
API String ID: 1941528284-2874701492
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

!9@, xrefs: 00405984
C:\Users\user\AppData\Local\Temp\, xrefs: 00405995

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-2369717338
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Strings

\, xrefs: 0040674E
%s%s.dll, xrefs: 00406770
UXTHEME, xrefs: 0040672F

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
String ID:
API String ID: 2989416154-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Function 004020A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Strings

zY, xrefs: 0040211F

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: zY
API String ID: 2987980305-7071710
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

nsa, xrefs: 00405F55
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\, xrefs: 00403AB2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\
API String ID: 2962429428-700668469
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Snetchball,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00401631

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Snetchball
API String ID: 1892508949-564883550
Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNELBASE(155D2F8D,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040E790,0040B8F8,00403405,0040B8F8,0040E790,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

M, xrefs: 00404FC4
, xrefs: 004053DE
N, xrefs: 004050A5

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

N, xrefs: 00404701
6B, xrefs: 0040476F

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

.B, xrefs: 0040603D
.B, xrefs: 00406044
[Rename], xrefs: 004060D0, 004060E2
%s=%s, xrefs: 0040605C
*B, xrefs: 00406010

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

C:\Users\user\AppData\Roaming\Snetchball, xrefs: 004049E7
PB, xrefs: 00404994
A, xrefs: 004049BA
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 004049F8, 004049FD, 00404A08

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Snetchball$C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe$PB
API String ID: 2624150263-1177728474
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
*?|<>/":, xrefs: 004066AE

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1678727643
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,00002357), ref: 00402EB6

Strings

... %d%%, xrefs: 00402F1B
#Vh%.@, xrefs: 00402F34

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

unpacking data: %d%%, xrefs: 00402E62
verifying installer: %d%%, xrefs: 00402E69, 00402E72

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

%u.%u%s%s, xrefs: 00404CD6
PB, xrefs: 00404CDE

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Function 00401B87 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00597A20), ref: 00401BF6
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08

Strings

zY, xrefs: 00401B8A, 00401BBA, 00401BC9, 00401BF1, 00401C1C, 00401C23
C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree
String ID: zY$C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
API String ID: 3394109436-3348600575
Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Snetchball, xrefs: 00402238

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Snetchball
API String ID: 123533781-564883550
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe,?,00420530), ref: 004062C0

Strings

C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Roaming\Snetchball\Snetchball.exe
API String ID: 3356406503-643423230
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405D61

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-47812868
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000005.00000002.2885224983.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2885194517.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885302506.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885331382.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.0000000000430000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2885869936.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Analysis Process: Snetchball.exePID: 6204, Parent PID: 8100COMMON

Executed Functions

Function 00CC4F58 Relevance: 11.9, Strings: 9, Instructions: 611COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CC55A3
(bq, xrefs: 00CC51CD
(bq, xrefs: 00CC5082
(bq, xrefs: 00CC55CF
(bq, xrefs: 00CC51F9
(bq, xrefs: 00CC5056
(bq, xrefs: 00CC589B
(bq, xrefs: 00CC586F
(bq, xrefs: 00CC5655

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: 1dafae1af67fddf2acbe36d460475453d339d98b17163c05b4803339a5f96d5b
Instruction ID: e3bcb0d6f4b9de198637b60ccd252f73952d18fba933f3ce20342bea71267b40
Opcode Fuzzy Hash: 1dafae1af67fddf2acbe36d460475453d339d98b17163c05b4803339a5f96d5b
Instruction Fuzzy Hash: 43327E34B006548FCB05DF69D494AAEBBF2AF89311F248069D806E7391DF34AD86CB91

Function 00CCC060 Relevance: 8.9, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

+Vq^, xrefs: 00CCC1F2
;Vq^, xrefs: 00CCC1C0
[Vq^, xrefs: 00CCC15C
Uq^, xrefs: 00CCC2BA
kVq^, xrefs: 00CCC12A
{Vq^, xrefs: 00CCC0F8
KVq^, xrefs: 00CCC18E

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: +Vq^$;Vq^$KVq^$[Vq^$kVq^${Vq^$Uq^
API String ID: 0-2719195581
Opcode ID: 053156b1f88cc5496ed5c44f59efcf0136d02c662bf5b807f517e205032775fd
Instruction ID: 4dc77ff775f2c193cab60dd6dd949760bf8b5ff8987ac4b43987a12d776efc1c
Opcode Fuzzy Hash: 053156b1f88cc5496ed5c44f59efcf0136d02c662bf5b807f517e205032775fd
Instruction Fuzzy Hash: B97104B16017149BD355AB24C95168ABBE2FF80309310CE2ED04A8BB55EB72FA468BC0

Function 00CCC070 Relevance: 8.9, Strings: 7, Instructions: 180COMMON

Download Yara Rule

Strings

+Vq^, xrefs: 00CCC1F2
;Vq^, xrefs: 00CCC1C0
[Vq^, xrefs: 00CCC15C
Uq^, xrefs: 00CCC2BA
kVq^, xrefs: 00CCC12A
{Vq^, xrefs: 00CCC0F8
KVq^, xrefs: 00CCC18E

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: +Vq^$;Vq^$KVq^$[Vq^$kVq^${Vq^$Uq^
API String ID: 0-2719195581
Opcode ID: 591c4e7c48b2ce02c774fb157c11eaaaf23a52f51dd05f7c8ce8d55149bbcc4c
Instruction ID: df8c0528b8ed645c906923ef8f384470651018eb7e8f9f3b7b9115b4ef0e03fd
Opcode Fuzzy Hash: 591c4e7c48b2ce02c774fb157c11eaaaf23a52f51dd05f7c8ce8d55149bbcc4c
Instruction Fuzzy Hash: 817104B16007149BD355EF64C95169ABBE2FF84309310CE2ED04A8BB55EF72FA468BC0

Function 00CC3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CC3786
(bq, xrefs: 00CC37B2
(bq, xrefs: 00CC3820

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 35f74d9a42c8e55e646418ed06e0618b7d53f59ab11566cdcb65e95274bec7bb
Instruction ID: c6266e1773b60a5360f74bc28d4c2c0c3357d708cb70987977696b834abfca79
Opcode Fuzzy Hash: 35f74d9a42c8e55e646418ed06e0618b7d53f59ab11566cdcb65e95274bec7bb
Instruction Fuzzy Hash: 88216D35B041900FC31A6B79941463F3BE79FD672131885AEE946D73D1DE288E0B8392

Function 00CC3BE0 Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CC419C
(bq, xrefs: 00CC3DE5

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 6465a41568a63f640d8f9f14b1e2fd4d84be46daba4c1e1889c06679b96f30b3
Instruction ID: a662b0164562670a4115610f68eded015b9b43da1fdfa339a1e1117629075c35
Opcode Fuzzy Hash: 6465a41568a63f640d8f9f14b1e2fd4d84be46daba4c1e1889c06679b96f30b3
Instruction Fuzzy Hash: 16F15D74B102149FCB09EB78D854B6EBBE7AFC9301B14806DE50AA73A5DF389D42CB51

Function 00CCB0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

eq^, xrefs: 00CCB23E

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: eq^
API String ID: 0-2643049799
Opcode ID: c1270d10be2c547dfc77c62441ec83813d2ecbb65b974cda68c2d331dd148437
Instruction ID: 557d5d0865a1d95caca2bbef45cba921fff06f4a4a0f2860ec9a39c3afc2fc69
Opcode Fuzzy Hash: c1270d10be2c547dfc77c62441ec83813d2ecbb65b974cda68c2d331dd148437
Instruction Fuzzy Hash: BA524934A11200CFDB19EF74E558A6D7BB2FB84306B24C56DD41A8B366DB39ED82CB41

Function 00CC385A Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CC3BA1

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e53ac60ba96063c0fa9db7de749cf23c0d82ff1b797398813f121b19309bddc2
Instruction ID: bc20529e70ab844ca883be99ecd7ee3f582062e184f2e9d3c82a23bb5b003534
Opcode Fuzzy Hash: e53ac60ba96063c0fa9db7de749cf23c0d82ff1b797398813f121b19309bddc2
Instruction Fuzzy Hash: C3C14074B10258AFCB05DBA8E854BAE7BF7AF8C701F108069E905A7394DF399D41DB90

Function 00CCC798 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

s@q^, xrefs: 00CCC95C

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: s@q^
API String ID: 0-3044107695
Opcode ID: 619595ca5d4b0b1379deb476560414e14348f8efa929eb724f12e7bbd9f9de49
Instruction ID: ef3212da964bfafebf51d0ad4df38499c1ab75baf20db62fbd619bd1abd8681f
Opcode Fuzzy Hash: 619595ca5d4b0b1379deb476560414e14348f8efa929eb724f12e7bbd9f9de49
Instruction Fuzzy Hash: 2F51F1B26007109BD356AF24C85158ABBE2EF85705314CE2ED04A9B755EF72FA4B8BC0

Function 00CCBEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00CCBF75

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: dfd072aca78711d03d4357769a856a57da1ce39412c95d5eebe2ece8c71f3dda
Instruction ID: 01b8dde0ba564c68c63879fcb374629c338865baff175c544dfb81105ed5cf43
Opcode Fuzzy Hash: dfd072aca78711d03d4357769a856a57da1ce39412c95d5eebe2ece8c71f3dda
Instruction Fuzzy Hash: CC416B347001048FC744EF7DC898A6EBBE6BF89B10F2585A9E506DB3B2DA71DD058B80

Function 00CCBEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00CCBF75

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: e8e51a637ae85323d308541134ea8be99a186ec21f7e6022ba4d431090484f44
Instruction ID: 2c8ef1ed612bc569906e0731fc657ee6bfe5c9141098f6e0d68a07b426ad6e24
Opcode Fuzzy Hash: e8e51a637ae85323d308541134ea8be99a186ec21f7e6022ba4d431090484f44
Instruction Fuzzy Hash: 1F415C347005048FC744EF6EC498A6EBBE6FF88B10B2584A9E506DB3B6CB71DC018B80

Function 00CC2B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00CC2B35

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 22cae7d28505245d50f488a8079134d2fc5182188df4af99b8559f6a3a12a82e
Instruction ID: c0d614b1a8ff9a45e47a9e1da2261dc45a11465d858b7b3cf996243ccdcc83a1
Opcode Fuzzy Hash: 22cae7d28505245d50f488a8079134d2fc5182188df4af99b8559f6a3a12a82e
Instruction Fuzzy Hash: CF310E357102058FD749AB35D45462E37B2EBCAA14720856DD14ACF3A9DE39DC43C78A

Function 00CCC312 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Uq^, xrefs: 00CCC2BA

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: Uq^
API String ID: 0-2582887146
Opcode ID: e68e872185debad61f61925cb145e5c89370ff336e7bd705101d5b7887c79f5a
Instruction ID: fda04563709c84ff17a756e7e378c7b361fcebbd01d55fb380af7b4bfae8bf66
Opcode Fuzzy Hash: e68e872185debad61f61925cb145e5c89370ff336e7bd705101d5b7887c79f5a
Instruction Fuzzy Hash: 87218EB26017049BC745DFB5DA5159ABBE2FF853153009EAEC04A9FA41EB32B907CBC1

Function 00CC4237 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

(bq, xrefs: 00CC4295

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e077e657585d830c4900b7d36d395e005435851a7044c0a72354e168d059ba4c
Instruction ID: ec1d1ddbafea0b85ffebe12a9fbf22411ae72bd3a1813e0b4a70fa9972a5345f
Opcode Fuzzy Hash: e077e657585d830c4900b7d36d395e005435851a7044c0a72354e168d059ba4c
Instruction Fuzzy Hash: E51148216082D04FC3075B7994252BE3FA3DFD261234889EED4C6CB742CE284D0BC781

Function 00CC1049 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba930ba44e8d07b34012d933967552edda7f4aaf3c91c3627b30a341e647f00a
Instruction ID: b16e84a99153103a81cde6cb5ec92154ba5afbe31129445c21e29315f2ba90c5
Opcode Fuzzy Hash: ba930ba44e8d07b34012d933967552edda7f4aaf3c91c3627b30a341e647f00a
Instruction Fuzzy Hash: 988293B4620319DBDF06EBA4D554B6E7BB2EB8C302F108418E90523799CF3D6D91EB25

Function 00CC1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1a198ac804884fcd2d7784d03a388eea59e6620ef6ea6cba1976170f46e07a
Instruction ID: 6ad1aa1ab005c2231e901b274245f2350b37ee4a6b652ac0b5e276024741d720
Opcode Fuzzy Hash: 3b1a198ac804884fcd2d7784d03a388eea59e6620ef6ea6cba1976170f46e07a
Instruction Fuzzy Hash: 6982A3B4620319DBDF06EBA4D554B6E7BB2EB8C302F108418E90523799CF3D6D91EB25

Function 00CCAF90 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e06829d97a05e10b74955be6170025dce3f79dc10802aaf2e78b14069a5b93
Instruction ID: 783bebcb51d181cb95bc46c369f39d8c19d7c7151114301149f87239e538048f
Opcode Fuzzy Hash: e0e06829d97a05e10b74955be6170025dce3f79dc10802aaf2e78b14069a5b93
Instruction Fuzzy Hash: 7951E4B190E3D04FD707AB78D8616897FB1EF93205B0985DBC095CB1A3EA285C0DC7A6

Function 00CCBB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cbc8bda6a1ec887f442d2eedb77dc1997fb62b286ecf5922ba78fcdd389df4
Instruction ID: ded2ec7a3c7dab569bca5a55a7239b8d73cbd6dc4aa679368af64971dbe7c225
Opcode Fuzzy Hash: 21cbc8bda6a1ec887f442d2eedb77dc1997fb62b286ecf5922ba78fcdd389df4
Instruction Fuzzy Hash: 4F811978A22201CFD306FB64F68AE697BB2FB44305B15C56DD1298B22AC738ED45DF40

Function 00CC5A91 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b47ebbd0cdd215d9f6f541afd7804b473b57f49fe501ea122081fbb9483484a
Instruction ID: eca0e42ddc690a908b07ba89fcb43d2fa6c60ce181d9e8bd29823dfce9553de6
Opcode Fuzzy Hash: 0b47ebbd0cdd215d9f6f541afd7804b473b57f49fe501ea122081fbb9483484a
Instruction Fuzzy Hash: AB513A74B006058FCB04EF69D594AAEBBF6EF89310B1141ADE509DB366DB30ED41CBA0

Function 00CC5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b4fda65fe22585f73379c09028375c7933063272d6b75566ba994bf91302fe
Instruction ID: b8e418f9d132a78d431e0052167f80a98d6c8b1870136b944068606c8421a0ae
Opcode Fuzzy Hash: 25b4fda65fe22585f73379c09028375c7933063272d6b75566ba994bf91302fe
Instruction Fuzzy Hash: E3511B35E10618DFCB18DFA5D584BADB7F2BF88311F14806DE415A72A4DB74AD81CB90

Function 00CC2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9e5028c076e5d517a71035ef1b71740dcb50662136e9043321c7f47740fa95
Instruction ID: 2b7875cff5e57601f037adf1bddda73a4c7ab6421b76fd71e8762cf554138a53
Opcode Fuzzy Hash: 0a9e5028c076e5d517a71035ef1b71740dcb50662136e9043321c7f47740fa95
Instruction Fuzzy Hash: 1E410874E50208DFCB19EFA5D884A9EBBF2FF88301F209529D905A7255DF349945CF50

Function 00CCC000 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f04d0ae27af305f82cbbccf747a56830aa35b4c036d36430d942d1feedc552
Instruction ID: 12e9d1131d6c27228f344298b4fba4d3466bed97bcf5772f82bd4571d58086ef
Opcode Fuzzy Hash: 47f04d0ae27af305f82cbbccf747a56830aa35b4c036d36430d942d1feedc552
Instruction Fuzzy Hash: C83190347002109FCB04EFA9D886E99BBF6FF89711B14859DE505DF366CB719D029B90

Function 00CC5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f430fbb59053a24cd36508c1cb004c2b9b4895232b9ce63c73bf553d9a45cb
Instruction ID: 5f6318735964867e10ad34e559afc9b1bada4815bf0cfafd9bb9042283b31dc3
Opcode Fuzzy Hash: f5f430fbb59053a24cd36508c1cb004c2b9b4895232b9ce63c73bf553d9a45cb
Instruction Fuzzy Hash: AE410D74A10514DFCB48EFA5E494AADB7B2FF88301F208469E505A7364DB34AD82CF50

Function 00CC2842 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a9f91b077611a21d23ee40c84b8d8e95c712d349f6b3754d1e22e960149d1f
Instruction ID: 7ceeca006a1dae7f8706ab95d2b0069ecab0a3139a21d781afdc7d6fb2780e8b
Opcode Fuzzy Hash: 10a9f91b077611a21d23ee40c84b8d8e95c712d349f6b3754d1e22e960149d1f
Instruction Fuzzy Hash: E3314874D50208DFCB19DFB4D494AEEBBB2EF88301F248929D845A7254EF349986CB50

Function 00CC2C48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745a8bb11011b150862f77b2ce064bd1b67abfd7e5c832fb73b47a31c399c994
Instruction ID: dda48541aebab2f26a0308a2039a27012519ab9cc5b77007e627cebe86e5fbf2
Opcode Fuzzy Hash: 745a8bb11011b150862f77b2ce064bd1b67abfd7e5c832fb73b47a31c399c994
Instruction Fuzzy Hash: 3B415E74910209CFCB45EF68D484AEEBBB1FF49311F109969D906A7395DB349E81CF90

Function 00CCB0A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a905c8ae284ed13a5a358906e0462d9bb7cc1f4605f0ca07bb4d165a7e3070d
Instruction ID: 56e942e676e174c3243b3f3a84ccc57045c4c5dc9910f223506183603b54fe4f
Opcode Fuzzy Hash: 0a905c8ae284ed13a5a358906e0462d9bb7cc1f4605f0ca07bb4d165a7e3070d
Instruction Fuzzy Hash: E0310570A002149FDB14EBB8D955BADBBE2FFC5301F00892DD01AAB395DF756D068B80

Function 00CC4B50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018fc6073deed1f30fc66b4fc7ab7eaae79c7965b3832eb8084c2523f950a187
Instruction ID: 4066e5fd6d9bbdd4aa2ad434f2dc1cfa715664d480e392120b1e446cdbfdae42
Opcode Fuzzy Hash: 018fc6073deed1f30fc66b4fc7ab7eaae79c7965b3832eb8084c2523f950a187
Instruction Fuzzy Hash: 6621E4702043515FC706EF78D890A6E7BE2EFD1312B048D69E4498F356DF74AD8A8B91

Function 00CC2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01acb08e8b7871e1638a60627875320f3f2d9a1bd791d12c0bf4c20e1244063
Instruction ID: 7b66088360b649bd20361432ce0f077e62cf3f260e3e16fb3444f0d7ca305780
Opcode Fuzzy Hash: f01acb08e8b7871e1638a60627875320f3f2d9a1bd791d12c0bf4c20e1244063
Instruction Fuzzy Hash: C5310C74910209CFCB45EFA4E484AEEBBF1FF48315F109969D916A7394EB349A81CF90

Function 00CCCEC0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72722fa3d75bd3402ccc5d090a4ec969263db812e62ae5915f2b9f5569070a5
Instruction ID: bd5e63f2270783aabd1e362edbc2b00788c498f1a489ee9b53dfb9f3328b00f3
Opcode Fuzzy Hash: c72722fa3d75bd3402ccc5d090a4ec969263db812e62ae5915f2b9f5569070a5
Instruction Fuzzy Hash: 8B213770C012189FDB24DFA9C689B9DBBB2EB48314F20846EE809A7250CB7A5945DF50

Function 00CC4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bf1bf5f2977b67f30a4b1eb3eb8bbcd2648d9ff660d3a709da8ebdad24239d
Instruction ID: 30d967af1ec4c79c7d75e004a5d32482ee37ea420466ad04b5b264e4c93cc561
Opcode Fuzzy Hash: 01bf1bf5f2977b67f30a4b1eb3eb8bbcd2648d9ff660d3a709da8ebdad24239d
Instruction Fuzzy Hash: 092193702003115FC705FF79E880A6E77E6FBD0312B048E29E4098B355DF70AD8A8B94

Function 00CCCED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c802e6e0c49b3a3d85ef4a3a487b850aaaab0e3081269b6076382d20e49da1fc
Instruction ID: 80fbb878de12cabc70010fbf22807662c80159a175d092f79bcb13e405886ce8
Opcode Fuzzy Hash: c802e6e0c49b3a3d85ef4a3a487b850aaaab0e3081269b6076382d20e49da1fc
Instruction Fuzzy Hash: D2212870D00208DFDB25CFA9C698B9DBBF6EB48311F20845EE809A7340CB795945CF50

Function 00CC5C41 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88998e209f483a504c34dffe53ff2dc90dba80a193cb0c9606dacbcbb0fca110
Instruction ID: 5dc76709e7078cf0cf0719af725629c6ccc964ee9cdd06e17860da008891edf7
Opcode Fuzzy Hash: 88998e209f483a504c34dffe53ff2dc90dba80a193cb0c9606dacbcbb0fca110
Instruction Fuzzy Hash: 0E214C35A043988FCB11CBA5C5A4BDD7FF1AF4D310F2500A9D845AB2A2CB796D85CB60

Function 00CC5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c35fcf0e4bdaab1d705a509dc7fcb27864a104f47edde7db5d6be71cd8f7d1
Instruction ID: de6526ac21c4af7ef68f2f6a70585db5cb974d6c3f17e39efb342e53ff4dc696
Opcode Fuzzy Hash: 55c35fcf0e4bdaab1d705a509dc7fcb27864a104f47edde7db5d6be71cd8f7d1
Instruction Fuzzy Hash: FA21F975A002188FDB14DB99D584FDDBBF1AF4C310F2000A9D505BB260DB75AE84CBA0

Function 00CC6888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2207416f8b268139fd452f678ad8dc89dae8df8539f93588587a95449faf21b9
Instruction ID: 5ec81795f1a7c70cbd2050421b46f8bd733f308d1411f230c0b70872f1869670
Opcode Fuzzy Hash: 2207416f8b268139fd452f678ad8dc89dae8df8539f93588587a95449faf21b9
Instruction Fuzzy Hash: 98218E31900205CFDB10DFA4CB09BAEBBF1AF49315F1480BEC016AB2A2DB758E49DB51

Function 00CC5911 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d11844b35fcbd56397edf28513315224a1f608115c1a51733cfee617373128
Instruction ID: a9e46370aaf5985e539759348b14ae7659e85c2a4ad0a6490fb775f51fc0eb6e
Opcode Fuzzy Hash: 25d11844b35fcbd56397edf28513315224a1f608115c1a51733cfee617373128
Instruction Fuzzy Hash: DA01F5723092808FC7429B74E4A49997FB1EF8B32432884EFD944CB363CA348C06CB61

Function 00CC32E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f459f0973ee2ba5580bb7196dc2ca4465e422bdff6916a65881753c1fe6f31de
Instruction ID: f86b9d44eda0bde23d5c33e388a2b5256b0540462065e14b83ba5e1e0e599a8c
Opcode Fuzzy Hash: f459f0973ee2ba5580bb7196dc2ca4465e422bdff6916a65881753c1fe6f31de
Instruction Fuzzy Hash: 10117038E511808FCB44EFB4E458BEE7BF2AB89305F04586DD48297381DF395895CB50

Function 00CC5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13963a1a3a1a59d4c89ed35c31a532267dabf21166f38f11fe18aaf117d7f883
Instruction ID: 5c54998a1939eb2de4e390d9ba61994c08ce3c3893b8ee9b4bfd3570185da8c0
Opcode Fuzzy Hash: 13963a1a3a1a59d4c89ed35c31a532267dabf21166f38f11fe18aaf117d7f883
Instruction Fuzzy Hash: 1E0131767101109F8704EE69E494D1EB7A6EBC9661310857EEA05C7350DE359C06C7A0

Function 00CC2A80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbac9bbc1ce0d15100a6071d4fdba2baca52eeb8e379eb1ce5be05b7770657c2
Instruction ID: 92d0dd1cdb63110f904bd7b87d492a8522a28a4039df9f8f00e5beea0f111d61
Opcode Fuzzy Hash: cbac9bbc1ce0d15100a6071d4fdba2baca52eeb8e379eb1ce5be05b7770657c2
Instruction Fuzzy Hash: EF019AB56107408FC715AF78C41999A7BF1EF85B1531089AAE08ACB326EF31ED058BC0

Function 00CC32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bba4b7df79ddae6e92ff5833cd3c044c943216bfbb5bcbde014668c6e3e768
Instruction ID: 7a80110b07730bceb628c3fc738f5753621810001100009f85b921783d720d12
Opcode Fuzzy Hash: 78bba4b7df79ddae6e92ff5833cd3c044c943216bfbb5bcbde014668c6e3e768
Instruction Fuzzy Hash: D5019E38E50244CFCB08EFB4E418B9E7BF2AB88305F00982DD542A3384DF795894DB50

Function 00CC6388 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a50dd46f9f7e5e6a33455dccb59d2aa08eb5e37aa38d0f566127b7fcf6e01cc
Instruction ID: 22602ba4b7be54cd914d1b50bbe3061708af44be9391638c1a50f4f70baeaf5f
Opcode Fuzzy Hash: 4a50dd46f9f7e5e6a33455dccb59d2aa08eb5e37aa38d0f566127b7fcf6e01cc
Instruction Fuzzy Hash: C701D170D05288AFCB41EF78D9906ADBFB1EF56301B2489DAD448EB252DA344E05DB41

Function 00CC41D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90861574cac77b7bdc806d875f5354e37c297aa68bf0567607c155c45ff5ccc
Instruction ID: 22471ddef2a3ca644c534dd7d82509058dc038e31665d674290b7da1d4d1f53e
Opcode Fuzzy Hash: e90861574cac77b7bdc806d875f5354e37c297aa68bf0567607c155c45ff5ccc
Instruction Fuzzy Hash: 72F09E306082802FC359ABB5A8A29BF3FA7EBC96103584C6EF449D7302CF251D078725

Function 00CC41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e994687d89ddfc2af5050c23e78e0f5fe9783db31054c3590ca20047a9deb1
Instruction ID: a2e2f0bc05e4d6f9cb5233cfc9404320c3a3e865115491d6dca39f71920850da
Opcode Fuzzy Hash: f7e994687d89ddfc2af5050c23e78e0f5fe9783db31054c3590ca20047a9deb1
Instruction Fuzzy Hash: FDE0ED71B042146F9708BABAA851A7F7ADAEBC8A60754482AF409D7300DF212D0247A9

Function 00CC5610 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283be25418c2ad96279f13028300345cb1e5ac1e0436b6bf35f5a723af769c5c
Instruction ID: dd169b07aad030f6e966e14fda92defd87ce7750d35ea3f49402e55436641d14
Opcode Fuzzy Hash: 283be25418c2ad96279f13028300345cb1e5ac1e0436b6bf35f5a723af769c5c
Instruction Fuzzy Hash: 3CE0CA25A8E7C01FC7230A285CB61E47F35CA5351831D04EB9C84CA563C81E986F9722

Function 00CCCFE0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b727f8d6e6aff3121847dabb5aa2615e9999295dfc92d8e0d37cc7bf687c3bf9
Instruction ID: cd46a674d8a036ee531ba6580915fe5ef60d1ea26296f6d2d731e638271dc664
Opcode Fuzzy Hash: b727f8d6e6aff3121847dabb5aa2615e9999295dfc92d8e0d37cc7bf687c3bf9
Instruction Fuzzy Hash: 28F05C2100E3841BEB31025696447343F459B0230EF1880BFD45B475D2C1AA8D85D741

Function 00CC6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656b5109c744cac3af9876c93719ecc6bec20443a2be84ff6f848fbce29c5a5b
Instruction ID: 5a02a710110d62a40c3baa2a1cdc11077b3a8112ecf0685e7eb15f0f3cd630fc
Opcode Fuzzy Hash: 656b5109c744cac3af9876c93719ecc6bec20443a2be84ff6f848fbce29c5a5b
Instruction Fuzzy Hash: 6BF01C74E00208AFCB44FFB8E955AADBBF5EB84201F5085A8A848A7345DA305F45AB91

Function 00CC2D92 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a234a7f83512a48802814a3b4e8a632effac1856cb47a1e9f5137d3d0aa59508
Instruction ID: fc1a5bdbd49de9aad0930a711075451b327f611639c4eebad6149815fb305e0b
Opcode Fuzzy Hash: a234a7f83512a48802814a3b4e8a632effac1856cb47a1e9f5137d3d0aa59508
Instruction Fuzzy Hash: 72F01C71E141588FC754EFBCC515ADE7FF1EF8A314B2140E9D549E7322EA3099118B91

Function 00CC1FF8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cd8efd384f564f81287039b99418c211619ed67a505cac484973c61cc31631
Instruction ID: 312db65b099e9995d405f33456be0680cae7c97ba7546f0a2ed43968edfa6d27
Opcode Fuzzy Hash: f6cd8efd384f564f81287039b99418c211619ed67a505cac484973c61cc31631
Instruction Fuzzy Hash: 89E0D8387852904FCB155778D42885E3FF5DF8B21530908EAE886CB332C935CC62C792

Function 00CC2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9add29672dbfcec22a410da940e892eebce4a39c27c225b22b490f762af52b3d
Instruction ID: 5e3920a6fa5236b32c97ccf428c65cd346af33623d12c10eb0a74566fecf8d5f
Opcode Fuzzy Hash: 9add29672dbfcec22a410da940e892eebce4a39c27c225b22b490f762af52b3d
Instruction Fuzzy Hash: 86E0ED71E101188F8B94EFBDD5056DE7BF5EF89310B2180AAE519E7311EB709E018B91

Function 00CC374E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c3c5fcb1f0a2c94b68de420fe0d10249f191f8800d6606788adb617e06acb7
Instruction ID: 94f3c366aaa852f52a6cdb30d5d27eccc2f626b5c0f4d14354b003c87f6d896b
Opcode Fuzzy Hash: e1c3c5fcb1f0a2c94b68de420fe0d10249f191f8800d6606788adb617e06acb7
Instruction Fuzzy Hash: BCE07236B001900B8339823AB408AFE27B39BC8220318803DDC09C3304EE208E0B8781

Function 00CC66C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f680b19ac0ece35216ce15e5e155b17358b3f1e918403913d1ece3c53bbfa285
Instruction ID: 794a1b5101e056d78f2e0b36fd3280250212bcb6d1228cf3f02ca3f1a93a30a4
Opcode Fuzzy Hash: f680b19ac0ece35216ce15e5e155b17358b3f1e918403913d1ece3c53bbfa285
Instruction Fuzzy Hash: 9FD05E327092908FC3462B6CA8100993BE5EFCB62131985A7F141DB357CE654C06A391

Function 00CCCAA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b36f3cbb5a67fbd5fc38e158b57b8ca52619fd466d2682eb7633ca84801bd4
Instruction ID: 823d8ab4ff9e9e0d4791b393c3f0e5414724dfbe037fcd526bc318402fdcca06
Opcode Fuzzy Hash: a6b36f3cbb5a67fbd5fc38e158b57b8ca52619fd466d2682eb7633ca84801bd4
Instruction Fuzzy Hash: 7DD0A7767893C4AFF303466915F77C03FA0DF62217F500096D545CE043C0151803D361

Function 00CC6469 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013285332d128187e913ef875e294145d22c5933e61656c795fa8fa9c28044c6
Instruction ID: 75fd8d572dbbab4c2b75974897cc4a3033a89f26bb40b09e7335c6f28e4ed3d7
Opcode Fuzzy Hash: 013285332d128187e913ef875e294145d22c5933e61656c795fa8fa9c28044c6
Instruction Fuzzy Hash: EAE017B42543408FC3489B98D54191937F6FF9D36070044EAE448CB37ADA24DC828B19

Function 00CC6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd374bd3ef69a8b2bc59fc3181554bb976c6cd819363f7fd1a7df26bc0b19d2
Instruction ID: 8e454cb9d4be56fc8cf58fa72ead00bea172524c16c37194caa4854d036e8ddd
Opcode Fuzzy Hash: cfd374bd3ef69a8b2bc59fc3181554bb976c6cd819363f7fd1a7df26bc0b19d2
Instruction Fuzzy Hash: 6EC012B43403048FC308EB6CE48082637EAEB8C71131045A9E94DCB339CE20FC828A18

Function 00CC5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3195d7c89155adc8728eccb258e9680435880125b06087540b1916aefc01e7b7
Instruction ID: 5d6207019e667b4d69dc9c41ecd00ea12b6e0dfac3b8d497546b907c406ead1b
Opcode Fuzzy Hash: 3195d7c89155adc8728eccb258e9680435880125b06087540b1916aefc01e7b7
Instruction Fuzzy Hash: BDB02B385802096787101595EC08911371DEB406183800198FC0800201AD23ECA00080

Function 00CC380B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2904808903.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e51b36eb03eb23a4804b8ef09b65e7085801ffa514d0f20290970e8e267a21
Instruction ID: ade343b662e2dba3b84b21985cbf843982d0741fe4037e829e091e8af3819e61
Opcode Fuzzy Hash: b9e51b36eb03eb23a4804b8ef09b65e7085801ffa514d0f20290970e8e267a21
Instruction Fuzzy Hash: EEB012367E005453D60052C870553FD2386D3C573BF14083BE709D51C4CBD348922340

Analysis Process: Snetchball.exePID: 5820, Parent PID: 8100COMMON

Executed Functions

Function 008E4F58 Relevance: 11.9, Strings: 9, Instructions: 603COMMON

Download Yara Rule

Strings

(bq, xrefs: 008E586F
(bq, xrefs: 008E51F9
(bq, xrefs: 008E55CF
(bq, xrefs: 008E55A3
(bq, xrefs: 008E5082
(bq, xrefs: 008E589B
(bq, xrefs: 008E5056
(bq, xrefs: 008E5655
(bq, xrefs: 008E51CD

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: 612953eefeab4c0f13c4348629ee4f3e53a7460be440aa8ebad82da7b434cc58
Instruction ID: a4941e8e45039b5430ce187d3a9c6c4053263f319bafcf688692bf6f99754f71
Opcode Fuzzy Hash: 612953eefeab4c0f13c4348629ee4f3e53a7460be440aa8ebad82da7b434cc58
Instruction Fuzzy Hash: 90328A34A006588FDB04EF69D4546AEBBF2FF8A305F248469E506EB391DB74DD02CB91

Function 008EC060 Relevance: 8.9, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

KV#r^, xrefs: 008EC18E
+V#r^, xrefs: 008EC1F2
{V#r^, xrefs: 008EC0F8
U#r^, xrefs: 008EC2BA
[V#r^, xrefs: 008EC15C
;V#r^, xrefs: 008EC1C0
kV#r^, xrefs: 008EC12A

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: +V#r^$;V#r^$KV#r^$[V#r^$kV#r^${V#r^$U#r^
API String ID: 0-1467761556
Opcode ID: 3ad4f4606b6e5761b7a622a15b9fe4c1975642541ace70f6665155eb34f62e58
Instruction ID: 15563ca303c48b11e9c9dc4995803ce220b89df63d5b0e17a6dd30f2bea69569
Opcode Fuzzy Hash: 3ad4f4606b6e5761b7a622a15b9fe4c1975642541ace70f6665155eb34f62e58
Instruction Fuzzy Hash: AF712771600B009BD355EB69C95059BBBE2FF81305314CE6E914A8FB55EF72FA0A8BC1

Function 008EC070 Relevance: 8.9, Strings: 7, Instructions: 180COMMON

Download Yara Rule

Strings

KV#r^, xrefs: 008EC18E
+V#r^, xrefs: 008EC1F2
{V#r^, xrefs: 008EC0F8
U#r^, xrefs: 008EC2BA
[V#r^, xrefs: 008EC15C
;V#r^, xrefs: 008EC1C0
kV#r^, xrefs: 008EC12A

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: +V#r^$;V#r^$KV#r^$[V#r^$kV#r^${V#r^$U#r^
API String ID: 0-1467761556
Opcode ID: 8e788500b3ffa5199711f12108c6dee8874b97e8d8b05611994652de44bc3560
Instruction ID: d24140e4c407b5ea8592348bedf10a9ad2b23abc0771917ed149323a41824b5b
Opcode Fuzzy Hash: 8e788500b3ffa5199711f12108c6dee8874b97e8d8b05611994652de44bc3560
Instruction Fuzzy Hash: 24712771600B009BD355EB69C95059BBBE2FF81305310CE6E914A8FB55EF72FA4A8BC1

Function 008E3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 008E3786
(bq, xrefs: 008E3820
(bq, xrefs: 008E37B2

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 5a8ac8d3037dd54bb7b6a7e95fe4c2b589867c0c23f9c297af1327a5f81ed55b
Instruction ID: 0fead7b73cc10a956e4370b248331cfba9cdb4105714bc33504415b7efa81e2c
Opcode Fuzzy Hash: 5a8ac8d3037dd54bb7b6a7e95fe4c2b589867c0c23f9c297af1327a5f81ed55b
Instruction Fuzzy Hash: 0A214526B045A04FE3096739581413E3BE7EFC6321758857AEA0BD77C1DE28CD0B8392

Function 008E3BE0 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

(bq, xrefs: 008E419C
(bq, xrefs: 008E3DE5

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: e36c6e472f9cc4d8c08fe23b8bb9f18d0e67db0890273a51c220128d736afac5
Instruction ID: ee4af5c5e53879eba29cf3d8db97f5cd17d86effff3775247b67b0bd09de027f
Opcode Fuzzy Hash: e36c6e472f9cc4d8c08fe23b8bb9f18d0e67db0890273a51c220128d736afac5
Instruction Fuzzy Hash: 44F19B70B002149FDB05EB69C894A6E7BE7EF89301F158469E90ADB3A4DF34EC428B51

Function 008EB0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

e#r^, xrefs: 008EB23E

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: e#r^
API String ID: 0-2923942212
Opcode ID: 5442102e143214759af5e9a99053869cee35f9ff13dcf3a6476ff6d05e3cebe4
Instruction ID: d3ffbbf0adcd20ed536b446f4ad13eb49905bd2c30823c62d23e0a9f15284d4c
Opcode Fuzzy Hash: 5442102e143214759af5e9a99053869cee35f9ff13dcf3a6476ff6d05e3cebe4
Instruction Fuzzy Hash: 01523934A11200CFC719EF29D99896A7BB6FB85315F24C469D40ADB36ADB39EC41CF41

Function 008E385A Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(bq, xrefs: 008E3BA1

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b8855f564a103fe30f21cf8f5c229351c90e34527bb507f945f4821504c80753
Instruction ID: d75fcd10fb5dfd5cd144ade82ed6de14b2dd526368e87695b84fa7ad3eec9a2e
Opcode Fuzzy Hash: b8855f564a103fe30f21cf8f5c229351c90e34527bb507f945f4821504c80753
Instruction Fuzzy Hash: 79C16C74B10218AFDB05EBA9D894AAE7BF6FF88311F104029E906E7354DF34AD41DB91

Function 008EC798 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

s@#r^, xrefs: 008EC95C

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: s@#r^
API String ID: 0-3238824538
Opcode ID: f0795858834448a1c726a358a143498d7e60a8b6a685628a62079e7d58e29040
Instruction ID: f42a587ae3f4b05232dbdd31bbce6114901efe721eb5bc8e8228a8351be4de52
Opcode Fuzzy Hash: f0795858834448a1c726a358a143498d7e60a8b6a685628a62079e7d58e29040
Instruction Fuzzy Hash: CF51F271600B009BD356EB69C84058ABBE2FF85305314CE6ED14E9B755EB72FA4B8BC1

Function 008EC9C0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

s@#r^, xrefs: 008EC95C

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: s@#r^
API String ID: 0-3238824538
Opcode ID: 22c0ea31737a283f6524e6f44bc8423860706de97d5146a99bff62f8b2b6a7f9
Instruction ID: 83ff83bdc1cb46e5204ee7bb06aed423a8294c1c8f8215883a9f272ebe10635a
Opcode Fuzzy Hash: 22c0ea31737a283f6524e6f44bc8423860706de97d5146a99bff62f8b2b6a7f9
Instruction Fuzzy Hash: DB419C72A047819FC316DF79D850099BBE1FF863043148BAED04ADB652EB30E9478BC2

Function 008EBEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Te^q, xrefs: 008EBF75

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: a30860cef6ff2d47724ff67c07785a5ac1d704ab37a3dd1e3428dfa8738e49c9
Instruction ID: 00de7edfc2c78645828ab79abac6b66ca86e5d42a1a5a7e1348518f1e6da1b0f
Opcode Fuzzy Hash: a30860cef6ff2d47724ff67c07785a5ac1d704ab37a3dd1e3428dfa8738e49c9
Instruction Fuzzy Hash: 4C418D347005148FC704DF2EC488A6EBBE6FF89710F2580A9E509DB3B6DA70DC018B91

Function 008EBEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 008EBF75

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 0d94454c9e153de94c409dc707d55f952c4f172e7931214b4628a5a071f92e18
Instruction ID: 4d83ba64f6cf81f2c9c7f97e859250e8228f25ebc34c0dff8b5fb98920dbb5a0
Opcode Fuzzy Hash: 0d94454c9e153de94c409dc707d55f952c4f172e7931214b4628a5a071f92e18
Instruction Fuzzy Hash: 4B415C347005148FC744DF6EC498A6EBBE6FF89710B2584A9E50ADB3B6CB71EC018B91

Function 008E2B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 008E2B35

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 45fc4108c41dec4c1627f04b371add1a2dd4cc2e5fd3f00c4ba58f20113aad75
Instruction ID: 6320db954530b5d0d70c73b26d738145ab432dd18921577ba1831cfa7fa26f49
Opcode Fuzzy Hash: 45fc4108c41dec4c1627f04b371add1a2dd4cc2e5fd3f00c4ba58f20113aad75
Instruction Fuzzy Hash: F731DA357102058FD709AB3AD49461A37B6EBC9B18B218568D14ACF369DE35EC43CB8A

Function 008E4237 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

(bq, xrefs: 008E4295

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b2877761e0300e6982a11c026cad7856ba6168c131dd5ae3dbe10e8ccb90faef
Instruction ID: c08d5404123700323cb36b0f5fed8166994c112000d0084c7c3ca05bf28374f9
Opcode Fuzzy Hash: b2877761e0300e6982a11c026cad7856ba6168c131dd5ae3dbe10e8ccb90faef
Instruction Fuzzy Hash: 6C116B357082904FE3069B7C942416D3B93EFD2211748499ED58ACF796CE28DD4BC782

Function 008E1049 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cc63a2155056fff890e19d3e20d2214c0e0287ee41857ad58259b343ae74f0
Instruction ID: 03601dd819068d032869adbc08eba0d30958e801bfa8e1deaf744d9a023696c5
Opcode Fuzzy Hash: 09cc63a2155056fff890e19d3e20d2214c0e0287ee41857ad58259b343ae74f0
Instruction Fuzzy Hash: E58231B4620319DBDF06EBA4D594B6F7BB6EB88302F104414E90463399CF397D91EB26

Function 008E1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d8aa62c86089ba44bcb002531934fa88b35eb1699d804701ff95cf62b0f8f2
Instruction ID: ccdd838ee902361c888dbcf7b9d995401134040cbb9d0ec09cd1d699a5a1f235
Opcode Fuzzy Hash: 77d8aa62c86089ba44bcb002531934fa88b35eb1699d804701ff95cf62b0f8f2
Instruction Fuzzy Hash: 698231B4620319DBDF06EBA4D594B6F7BB6FB88302F104414A90563399CF397D81EB26

Function 008EAF90 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92be81c1c07972a82b239ca8a2ea10608fe23e3a2f02f46cd1016026041b91eb
Instruction ID: 41528b52a31a590776c3a265f9aa1dd70e207f9de62bf5c62d7d6e095c413f8f
Opcode Fuzzy Hash: 92be81c1c07972a82b239ca8a2ea10608fe23e3a2f02f46cd1016026041b91eb
Instruction Fuzzy Hash: 5851E0716097915FD706DB3898A01CABFB2FF93314B06869BC048CB1A7DB346C09C7A6

Function 008EBB99 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48a255bb06f816f9553c7f0947565db502cc4cf1e7791d05eee30e325575591
Instruction ID: 675b6cffcaf0100a5b752073980ee9c2c58b60408e493f09fc3567b37d52201b
Opcode Fuzzy Hash: b48a255bb06f816f9553c7f0947565db502cc4cf1e7791d05eee30e325575591
Instruction Fuzzy Hash: D4811778A11251CFC312FB58EAC996ABBB6FB45315F14C598D1088B22AC778FC49DF40

Function 008E5A91 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916de9b8f59b9656ce08d5cedeb5bfb9f00e7d5c463458dc820cee781f23529b
Instruction ID: 5767205ede68e06e05aa46b9d26d7f0d009c15625c034df6ea7133a279b78a91
Opcode Fuzzy Hash: 916de9b8f59b9656ce08d5cedeb5bfb9f00e7d5c463458dc820cee781f23529b
Instruction Fuzzy Hash: D3516A74B006058FDB04DF69C994AAEBBF6FF89314B1145A8E509DB366DB70EC01CBA1

Function 008E5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025d19b93d58c02f603a606c7df9b8954f8bb32e03583b734004f4087d9bc9b8
Instruction ID: 8ab153b285571c1c54d972d2269033663ebe94695c44a4bc771559aa2145048c
Opcode Fuzzy Hash: 025d19b93d58c02f603a606c7df9b8954f8bb32e03583b734004f4087d9bc9b8
Instruction Fuzzy Hash: 2D514C30A00658DFDB04DFAAD884AADB7F2FF89319F158069E905E7354DB70AC41CB91

Function 008EB0A0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726b34edf88f2bebf549d5bb72fe215acf04a2484e98ef4ea7dd8907c31c5e15
Instruction ID: 2244f8e7e3333a60976de742873c9398f496db198387b8aa79eb66b58d204037
Opcode Fuzzy Hash: 726b34edf88f2bebf549d5bb72fe215acf04a2484e98ef4ea7dd8907c31c5e15
Instruction Fuzzy Hash: B93128706103488FD705EB79D89069EBBF9FFD6311F008529D009DB396EB34AD058B91

Function 008E2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c6aab3c9efa06d8551d46a2868e1ac61cc643b29e2de39d3534b4040218b53
Instruction ID: fa744c44d04dc1b0726c772635d8f14605bf73b8b2bacc2022aa722539fd4300
Opcode Fuzzy Hash: f6c6aab3c9efa06d8551d46a2868e1ac61cc643b29e2de39d3534b4040218b53
Instruction Fuzzy Hash: 104149B0E10208CFEB14EFA5D8849EDBBBAFF89305F104929E905A7255EB70AC45CF50

Function 008E2842 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a538f174c03e90e27eee27d5d95f259c09606d0a5abac02941acf740191cb40
Instruction ID: 829b20502b33a40eeebd2f739d141dc21e53ae9539cc52d059f7abedb45d4c57
Opcode Fuzzy Hash: 4a538f174c03e90e27eee27d5d95f259c09606d0a5abac02941acf740191cb40
Instruction Fuzzy Hash: C0418CB0E10208CFEB04EFA5D8809ED7BBAFF89305F104929E505E7254EB749856CB20

Function 008E5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24ef52496a81163385d7ed6e4850bdf9aad11d9a34163a2c0650618d6709bda
Instruction ID: 3544e5f7904db4faed287264470055a54b70fdde9325279b2382c0a9160fa128
Opcode Fuzzy Hash: a24ef52496a81163385d7ed6e4850bdf9aad11d9a34163a2c0650618d6709bda
Instruction Fuzzy Hash: CF412C74A10558DFCB05EFA5E884AADBBB2FF89315F218465E805E73A4DB34AC42CF50

Function 008E2C48 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93c6170c4a702da0667bb972162bb5653919a026a3496b7eedfee2b9c77b2c9
Instruction ID: 00dc07a38dcb107beb385bc95ff255ffb3da50810fb6c2fdc7db91e12d1ea9bf
Opcode Fuzzy Hash: e93c6170c4a702da0667bb972162bb5653919a026a3496b7eedfee2b9c77b2c9
Instruction Fuzzy Hash: EF414A74A10209CFDB01EFA8D884AAD7BBAFF48315F104969E905E7394DB31AD51CF91

Function 008E2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec0c839efa78ab7d2a216d01e2975e8f107069e99923e5a75315b4c22be3ae2
Instruction ID: 1d9c520fd17fd3f6a6617f49ea36a38004ad2fa744469767a16220aac406bd8a
Opcode Fuzzy Hash: 2ec0c839efa78ab7d2a216d01e2975e8f107069e99923e5a75315b4c22be3ae2
Instruction Fuzzy Hash: 0E311C74910209CFDB05EF64D8C46AE7BB9FF48315F104964E905A7354DB31AD51CF91

Function 008E4B5E Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa5d3884234ccc680f54be9637dd83d4391855abc84206ae7046211faefee56
Instruction ID: 751829d4cba38f1544c4e0d269510093ed21ed1bf5919c0fa98cd8ef156b4107
Opcode Fuzzy Hash: 2aa5d3884234ccc680f54be9637dd83d4391855abc84206ae7046211faefee56
Instruction Fuzzy Hash: F32181702047515FD706EB78E89066D7BE6FB80312B048E69E409CB259DF70AD898B96

Function 008ECEC0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d580c00ae24de7e63add3e4520f132e7f9a63ef9c684936f53a85ea7230db35e
Instruction ID: a10f9bc7049a193e2881126f1701c0cf89aaa9f503f8a55591148b63643905fe
Opcode Fuzzy Hash: d580c00ae24de7e63add3e4520f132e7f9a63ef9c684936f53a85ea7230db35e
Instruction Fuzzy Hash: 38214571C04288DFDB25CFA9D548B9DBFB6FB49714F24802AE805A7680CBB5590ACF91

Function 008E4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35c7fd9b1607adce27dc2fd049abf59ff8dfae3d68442740981973b6c6b312b
Instruction ID: 8407a0f17ac82d209a5afbe5ad55e74771105291eb34857550562e72d1f52998
Opcode Fuzzy Hash: b35c7fd9b1607adce27dc2fd049abf59ff8dfae3d68442740981973b6c6b312b
Instruction Fuzzy Hash: 9C2196702007115FD705EB7DE880A6E77E6FBD0312B048E28E40D8B259DFB0BD894B96

Function 008ECED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffe312c0a1a232fc8f84f3a37480b67e44a0fa8ae710025fd2eb1b089ea549a
Instruction ID: cbdedd6b64d7e06e9024f527e96134e73ba7ad9932a0f1ab3771b019f56cb648
Opcode Fuzzy Hash: 0ffe312c0a1a232fc8f84f3a37480b67e44a0fa8ae710025fd2eb1b089ea549a
Instruction Fuzzy Hash: 15212670D04248DFDB14DFA9D548A9EBFF6FB49314F24802AE805A7340CB799905CF90

Function 008E5C42 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc5a3bcf2a8bb08103db9a63c8bb1561a6dd9f253c3f8ee6886ca216232a442
Instruction ID: 9723791a2271c03e8d90c22397d49278fac6624d183ec850388b969df2a945f8
Opcode Fuzzy Hash: 4fc5a3bcf2a8bb08103db9a63c8bb1561a6dd9f253c3f8ee6886ca216232a442
Instruction Fuzzy Hash: DF217F75A042888FDB05CBA9C964BDCBFF1BF0A314F2500A9D441FB2A2CB355D41CB60

Function 008E5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8451b914f307a3a9524aa5e9689caf25e09315656b8ea4ab6d7e27e7d4e4c82
Instruction ID: db70c9ee58c5e493de083a085cd6aca550e52c40d1e29871d706088129c3398a
Opcode Fuzzy Hash: e8451b914f307a3a9524aa5e9689caf25e09315656b8ea4ab6d7e27e7d4e4c82
Instruction Fuzzy Hash: 5E211575A002588FDB10CBAAC998ADDBBF1FF49314F2000A5E505FB260DB75AD44CBA0

Function 008E6888 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23192b47b8353ff1d8b7a87126f432bd2c2d7cd2244e7b8608445689e16fa51
Instruction ID: bbd3080ad6dbf5b715fd50cba0a1a0000f267b57788235db815c85176b9061f4
Opcode Fuzzy Hash: a23192b47b8353ff1d8b7a87126f432bd2c2d7cd2244e7b8608445689e16fa51
Instruction Fuzzy Hash: 0B216A71900285CEDB10EBA6CA487EEBFF1FF56305F10806AD005E7252EB758A55CB52

Function 008EC313 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280500abd4522ba3ee24f0570f3e5040d7e063f1bca71545965b0fa7e33fef48
Instruction ID: b052b57635c4ddedefcc785b5a534ee0ed2b0689c302103f41304dc42adb7c6c
Opcode Fuzzy Hash: 280500abd4522ba3ee24f0570f3e5040d7e063f1bca71545965b0fa7e33fef48
Instruction Fuzzy Hash: 9A118BB2A067459FC745DFB4D94109EBBE1FF8630430459AEC44ADF602EE31BA068BC1

Function 008E2A80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccb56efc3146387011973501dcb2156e479a0f437a8a064b8e7923a857f47d6
Instruction ID: 4294780e1f1d7f0cb3058c802518f40333c115ab7f7fefd97dbed782cb700ceb
Opcode Fuzzy Hash: dccb56efc3146387011973501dcb2156e479a0f437a8a064b8e7923a857f47d6
Instruction Fuzzy Hash: 8311BC346047809FC712EF79C45884A7BF5FF4631431089AAD186DB326DB71EC08CB92

Function 008E5911 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a61966414e7125c0cdb53b878d358a334bf5eff8b2c05dbe3af23adaa90e31
Instruction ID: fc83236ff855d20e456f04f7aca949c2ce1a04d184a798a1be0c2591c392d1b9
Opcode Fuzzy Hash: 74a61966414e7125c0cdb53b878d358a334bf5eff8b2c05dbe3af23adaa90e31
Instruction Fuzzy Hash: 8001F7763052808FD3069F39E494B697FB5EF8B35571944AAD485C7313CA34DC02CB61

Function 008E41A2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f8ff4a91fa80a01efa723e07c8df23e550d2aeda73d86c4396a714fefefd30
Instruction ID: 97c20776bfaf7d7cc8c23fdf86b300a1361126d6e9604eb2cf376d098e7f6a77
Opcode Fuzzy Hash: 00f8ff4a91fa80a01efa723e07c8df23e550d2aeda73d86c4396a714fefefd30
Instruction Fuzzy Hash: 1A014C7570C2805FE30AAB7898700AD3FA7EFC6211354489BD509DB357CE209D0AC766

Function 008EC000 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c9c1b9cdcb2db04f00d914921d4ad710666adf5129288fef1ed2ba88858de8
Instruction ID: be7d7f8005998f5e339416651aec556484753f0683b21b1bc3ceb116ce1a82d4
Opcode Fuzzy Hash: 37c9c1b9cdcb2db04f00d914921d4ad710666adf5129288fef1ed2ba88858de8
Instruction Fuzzy Hash: 8A115B303106658FCB10EF29E884A99BBF5FF85716B0189A9F549CB666CB71AD058B80

Function 008E32E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3364841073e8c9e86c393b6aec650612ef9c75a83ff06a562d8a96b30b79a4f
Instruction ID: 2d3135cea1164996e778d35e5344e65f4d3327542be5f71c9549c75bc0f05f05
Opcode Fuzzy Hash: e3364841073e8c9e86c393b6aec650612ef9c75a83ff06a562d8a96b30b79a4f
Instruction Fuzzy Hash: 5C115E34A182848FEB05EF78E89879D3FB2EB89310F044898D542C7282DBBD5815CB12

Function 008E5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748eafb14c48900ecce8003bc9698e8c3dab22daadc40074e971726990ced38c
Instruction ID: 3dfb6589d9b202d69f2354e6119715abcdf645d5d9581bafe470013935eeb56b
Opcode Fuzzy Hash: 748eafb14c48900ecce8003bc9698e8c3dab22daadc40074e971726990ced38c
Instruction Fuzzy Hash: 1B01A4763001108F9704AB6DF49896DB7EBFBC9765310893AEA09C7310CE71EC168BA1

Function 008E32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66036ce1af76e848a57075671d2e9f1c5dab08bc9b8737ce64726fcf2ace3d4b
Instruction ID: 7614f2c90f7759a19c2c2e75af01460caff49bd7927b99c833283579d414a9b7
Opcode Fuzzy Hash: 66036ce1af76e848a57075671d2e9f1c5dab08bc9b8737ce64726fcf2ace3d4b
Instruction Fuzzy Hash: D6012974E142488FEB04EBB9E558B9E7BB6EB89311F004868D502D7380DFB96C64CB61

Function 008E6388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564f898f53984015b0b2c0b64bf5fcba344f434fb28c8f0dab12315d14dd0e24
Instruction ID: 7756c45ecf8777e6994e19faf4290e13c7d2865b723d28ebd1114af75824eed1
Opcode Fuzzy Hash: 564f898f53984015b0b2c0b64bf5fcba344f434fb28c8f0dab12315d14dd0e24
Instruction Fuzzy Hash: D6F0C274D04248AFEB00EFB8A84159C7FF2EF46205B1085D5D448E7252D5305F19DB52

Function 008E41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4904aede5eeca723020373f05d2d2c01b3e68f0b23ac3a7a71a31621964cf669
Instruction ID: 098cb5187216b0572d7546db02722731e52b07f1b50e05e5f13076591e22f5ac
Opcode Fuzzy Hash: 4904aede5eeca723020373f05d2d2c01b3e68f0b23ac3a7a71a31621964cf669
Instruction Fuzzy Hash: CFE05D30B042002FA308AAAEA8408BF26CAFBC82203408C28F50CE7304DF21AC0543AA

Function 008E6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da958d1b61fca4142836f1a718ac3f85c9e742b139912a956d6ab970af5db1f5
Instruction ID: ba2f2eb0c3bae749fef4e05dfb8ee5b676aa0edb4c7516a8844b48f32af06ff1
Opcode Fuzzy Hash: da958d1b61fca4142836f1a718ac3f85c9e742b139912a956d6ab970af5db1f5
Instruction Fuzzy Hash: BAF08230E00208AFDB00EFA8D84159D7BF6EB84205F1085A8A908E7244DA706F14DB42

Function 008ECFE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2cdb3e05a29f553b5a4bfcc122157582218516b593d8032a06b9ab1604cbb3
Instruction ID: f52b856ca24f72e2e7d116b9864c5d1521d8f938bc899a909cafc58d8d5fe9d6
Opcode Fuzzy Hash: dc2cdb3e05a29f553b5a4bfcc122157582218516b593d8032a06b9ab1604cbb3
Instruction Fuzzy Hash: 42E0653544D7C05BEB22065165143643F69EB42219F1980B6D8898BA92C6B94C8AE751

Function 008E2D92 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9972665c74a62e289477188eccb5023cdfae09880e0b78684d1549518c71b8
Instruction ID: 90844f38ddaa49f28095d74a1d9af1621860557d9e0aa1ce4444a18c8a83e700
Opcode Fuzzy Hash: 7e9972665c74a62e289477188eccb5023cdfae09880e0b78684d1549518c71b8
Instruction Fuzzy Hash: 55F0A031B14055CFDB58EF6CC4449CDBBF6EB8932472441EAE219DB7A2DB3099228B41

Function 008E2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac47ca9c16cb1d09f3db66068eee437e658b65df18e6401f5e5ea80f6598d552
Instruction ID: 7392d7a1852f966c7b1bb0a077b7ca9098baf30beb3d27c7c206a8cc505a1005
Opcode Fuzzy Hash: ac47ca9c16cb1d09f3db66068eee437e658b65df18e6401f5e5ea80f6598d552
Instruction Fuzzy Hash: 31E03971E101188F8B84EFAC84056DE7BF5EB49310B2040AAE609E3300EA709E108B92

Function 008E1FF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7d52add13e45042447025990bb597cd6836e3dc7c937df3b4663b188ab86dc
Instruction ID: 0a532097207f3a5315e9a8a4cd3d3f443b4a54158ce778a1f6990bfc25cb9d6e
Opcode Fuzzy Hash: db7d52add13e45042447025990bb597cd6836e3dc7c937df3b4663b188ab86dc
Instruction Fuzzy Hash: 4AE09236B041518FC7149B7CD0688597BE5EF8A21530208EAF006CB362CE74DC15CB11

Function 008E374E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b778d7288795fa2b1cf7655bfa9a78aa79d2ed33ba377b5af1e96b8c45de4fa8
Instruction ID: b90f4fd7e0235f721a5a5b41cae02cf0768ca1c8ab879ebc9a3122acf4057870
Opcode Fuzzy Hash: b778d7288795fa2b1cf7655bfa9a78aa79d2ed33ba377b5af1e96b8c45de4fa8
Instruction Fuzzy Hash: 07D0C27EB006108B93195626B40817E3667B7C93627184035CE0DC3318EE308D079B81

Function 008E66C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7202d0b911662b0bc7827c613dffe5d3511560da5034b79a0363723702dc8aa9
Instruction ID: 3f192fa1dac12bfba01d184b2a7f443bf90d17435f9f74ddc819d61adf7fce65
Opcode Fuzzy Hash: 7202d0b911662b0bc7827c613dffe5d3511560da5034b79a0363723702dc8aa9
Instruction Fuzzy Hash: 2CD0A7213480A01FE201276C34243FC6F869BC9152B480ABBF144C7306CC844E23A792

Function 008E6469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f45c0815e97f1e11a71d56e2585fac94b3015e500105e1fa6e824451322d8b9
Instruction ID: 18a895a96f04b7793731852c458bb39cf0e7443b364a549ac45c11b4be2a5a36
Opcode Fuzzy Hash: 8f45c0815e97f1e11a71d56e2585fac94b3015e500105e1fa6e824451322d8b9
Instruction Fuzzy Hash: 6FD05E78B583404FE3049B28E0916103BB2EB9D315B0104A5E999CB366C920EC438B25

Function 008ECAA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6d659aa1c9569686ac2ef0aba1f2891171da709e1c6ce50324fc9dee85ec7f
Instruction ID: c3455bf9cc5b648a73ed37d15a5453b3e14de257633b4902caa0de3d9aef96f1
Opcode Fuzzy Hash: dd6d659aa1c9569686ac2ef0aba1f2891171da709e1c6ce50324fc9dee85ec7f
Instruction Fuzzy Hash: DAC04CE3E593D59FE55745612CB00C43B71A89602579A05A3E494CAA53B508990B8365

Function 008E6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79be0b5e4b34daefac24b79a76b98196179dccbe5ab474a3181e122d1bdda7c5
Instruction ID: ec39c85a72508781563533b3df7d87c4c8b473a1415582cdaee4a516eb9d96ba
Opcode Fuzzy Hash: 79be0b5e4b34daefac24b79a76b98196179dccbe5ab474a3181e122d1bdda7c5
Instruction Fuzzy Hash: 9DC012747903048FD208EB6CE08082533EAEB8C71571009A9EA0DCB339CE20FC828B28

Function 008E5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2904757765.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8e0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f826979493631b6523fee47c8fd882116eabeb8f27b8feda1bc0b41358ae0f84
Instruction ID: 8883243027b762e2b67343e8f7510b9464159ee9d55ce0abf0c32cdf7228fc72
Opcode Fuzzy Hash: f826979493631b6523fee47c8fd882116eabeb8f27b8feda1bc0b41358ae0f84
Instruction Fuzzy Hash: DFB02B305006099796001516EC08522371DFB6111C3400194AC0840110AD23CC204080

Analysis Process: Snetchball.exePID: 4564, Parent PID: 8100COMMON

Executed Functions

Function 017F4F58 Relevance: 7.9, Strings: 6, Instructions: 391COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F51F9
(bq, xrefs: 017F55CF
(bq, xrefs: 017F5082
(bq, xrefs: 017F5056
(bq, xrefs: 017F51CD
(bq, xrefs: 017F55A3

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-3607145362
Opcode ID: ba13a301c45e1c151c3d564a555111980bf2ce62b3a130106231efe57617745e
Instruction ID: 0ad74fe1e4bdf8c3d6c9af13fb8807baa0cf6b73e5e4e975f68d647d8c900728
Opcode Fuzzy Hash: ba13a301c45e1c151c3d564a555111980bf2ce62b3a130106231efe57617745e
Instruction Fuzzy Hash: F5E16C34A012198FDB45DFA8C4586AEBBF2FF88311F248069D606EB395DB349D42CB91

Function 017F1049 Relevance: .8, Instructions: 843COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567314a5471eaa0293fd5285596c22eaf9c23ca441dd65dd908164015a61099c
Instruction ID: e48a49b22dcc44d39f4ace8ef65a1670fa3c237e3836b948a1a3fe22da4ff854
Opcode Fuzzy Hash: 567314a5471eaa0293fd5285596c22eaf9c23ca441dd65dd908164015a61099c
Instruction Fuzzy Hash: 9882F6B8610219DBDB06DBA4D554B7E7BB7EB8C302F209054A905333A4CF3D6D91EB26

Function 017FC060 Relevance: 8.9, Strings: 7, Instructions: 185COMMON

Download Yara Rule

Strings

{V2q^, xrefs: 017FC0F8
U2q^, xrefs: 017FC2BA
+V2q^, xrefs: 017FC1F2
KV2q^, xrefs: 017FC18E
kV2q^, xrefs: 017FC12A
;V2q^, xrefs: 017FC1C0
[V2q^, xrefs: 017FC15C

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: +V2q^$;V2q^$KV2q^$[V2q^$kV2q^${V2q^$U2q^
API String ID: 0-2545838804
Opcode ID: 374ebced041178b2636c0494d6a9b6924b903ecc19cd5bee89cd2ce587cf16d7
Instruction ID: ff7ad90e8df76cbf27e219ce15867f1747dc0fa0a80da4aa2ac8384b73f217a2
Opcode Fuzzy Hash: 374ebced041178b2636c0494d6a9b6924b903ecc19cd5bee89cd2ce587cf16d7
Instruction Fuzzy Hash: 237114726057059FC396EB28C95059BBBE2FF90205314CE2E914A8FB54EF72F9468BC1

Function 017FC070 Relevance: 8.9, Strings: 7, Instructions: 180COMMON

Download Yara Rule

Strings

{V2q^, xrefs: 017FC0F8
U2q^, xrefs: 017FC2BA
+V2q^, xrefs: 017FC1F2
KV2q^, xrefs: 017FC18E
kV2q^, xrefs: 017FC12A
;V2q^, xrefs: 017FC1C0
[V2q^, xrefs: 017FC15C

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: +V2q^$;V2q^$KV2q^$[V2q^$kV2q^${V2q^$U2q^
API String ID: 0-2545838804
Opcode ID: 098e1e2186bcc3240526b5dda23dde48bfd78ecf7ddedbd8bdda884aefe54e3f
Instruction ID: de5301d521f99ff9ea6b793b4c623cd2de74f72bf22c74dce444d8d84f2ef6c7
Opcode Fuzzy Hash: 098e1e2186bcc3240526b5dda23dde48bfd78ecf7ddedbd8bdda884aefe54e3f
Instruction Fuzzy Hash: B87113716057059FC396EB28C95059BBBE2FF90205314CE2E914A8FB54EF72F94A8BC1

Function 017F5640 Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F586F
(bq, xrefs: 017F5655
(bq, xrefs: 017F589B

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 1b60cc6d93e43d8091ff2055dd7b1da5cd1b3cd10381df8cd1f44dee58b3ebb0
Instruction ID: 6727b1dbc9d05eedf3471d90c822dd6d47e7c77525a43bc0d520d36bbeff15bf
Opcode Fuzzy Hash: 1b60cc6d93e43d8091ff2055dd7b1da5cd1b3cd10381df8cd1f44dee58b3ebb0
Instruction Fuzzy Hash: 0581AC74B012058FCB04DF69D494AAEBBF6AF89700F1480A9E606EB361DF30DC06CB51

Function 017F3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F3786
(bq, xrefs: 017F37B2
(bq, xrefs: 017F3820

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 3618e064d76b83968ce2d138024fab7eeecf3dfaa653a0f5d5d9d355b914be15
Instruction ID: d3b9535f7a971758c946dfa93fe2b120bf6e7e9b7d2fbb0fdb305fc70b56eb56
Opcode Fuzzy Hash: 3618e064d76b83968ce2d138024fab7eeecf3dfaa653a0f5d5d9d355b914be15
Instruction Fuzzy Hash: E9213835B091644FD75AAB7D981013F3BE7AFDA620368816DE506CB3D1DE388C078792

Function 017F3BE0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F3DE5
(bq, xrefs: 017F419C

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: a96a8058dba87ab4de1d5877ae2864836c8979901d59544b2fa36c694ac96fb8
Instruction ID: 618154bb206528f2058089fecceb4c99599439c28fd43507ca4b9625f8f4d4c5
Opcode Fuzzy Hash: a96a8058dba87ab4de1d5877ae2864836c8979901d59544b2fa36c694ac96fb8
Instruction Fuzzy Hash: 58F13E74B002159FDB05DB79D85466EBBE7EFC8311F148069E60A9B3A4DF389C42CB61

Function 017FB0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

e2q^, xrefs: 017FB23E

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: e2q^
API String ID: 0-2559462336
Opcode ID: 86b247b9e3f235a998c520dcd605d399a5f54426b63fefa09e36fa20dd644b30
Instruction ID: 000ef19f665293dc8cc58d9c5a82dfed4ffbeecaf5deeaad314a7e8a6479e751
Opcode Fuzzy Hash: 86b247b9e3f235a998c520dcd605d399a5f54426b63fefa09e36fa20dd644b30
Instruction Fuzzy Hash: DA527A34A01204CFDB18EF38E49896EBBB6FB88701B65846DD91A9B365DB39DC41CF41

Function 017F385A Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F3BA1

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: cfa16bf1070443fd097ab4b4aa823d91a7ad98abfd01e2d554341c4c1ac7bc7a
Instruction ID: ccff21515fb73948e483694de87269e9ab20cedfd242c266d2a7eb114d9eeb72
Opcode Fuzzy Hash: cfa16bf1070443fd097ab4b4aa823d91a7ad98abfd01e2d554341c4c1ac7bc7a
Instruction Fuzzy Hash: 18A13D74B11219AFDB05DFA8D854AAEBBF6FF8C311F108069E905A7364DB389C41CB91

Function 017F35E1 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F36B6

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 33be0c046c2675d812c7eb428f6481a14ce9f6e0735bea497f7a4e6d3c5083f7
Instruction ID: e81b737956607bc1b74e66510603ed400cdfacb82d4761678a5e4aab4e6cccce
Opcode Fuzzy Hash: 33be0c046c2675d812c7eb428f6481a14ce9f6e0735bea497f7a4e6d3c5083f7
Instruction Fuzzy Hash: 904113317042111BD719EB39985053F6BEBFFD56507288868D50ACF394DE24DC0787A2

Function 017FC798 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

s@2q^, xrefs: 017FC95C

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: s@2q^
API String ID: 0-4156887262
Opcode ID: 1ed2174560952fedf195076cb8a27729deeceed9fccb96d81c6d25bb6982635f
Instruction ID: fd783a407237c7825475c59a2260518e29d9a713b778d652071aa7543bb13caf
Opcode Fuzzy Hash: 1ed2174560952fedf195076cb8a27729deeceed9fccb96d81c6d25bb6982635f
Instruction Fuzzy Hash: 935103716047059FC356EB34C80158ABBE2FF95205324CE2ED14A9FB50EB71F94A8BC1

Function 017FBEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Te^q, xrefs: 017FBF75

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 582170e5d5d679123aab709eec188db847b4f38d2a76f6111a2e4e2a0b559bbb
Instruction ID: 99bc46bf0f2b341adccc4645f29787783a7b1064a4540526887e6685920fceb4
Opcode Fuzzy Hash: 582170e5d5d679123aab709eec188db847b4f38d2a76f6111a2e4e2a0b559bbb
Instruction Fuzzy Hash: E4415934B006058FCB44DF69D898A6EBBE6FFC8710B2585A9E506DB3B5DA71DC018B81

Function 017FBEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 017FBF75

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 0153473d3128d734829117a44b71a89d62282a638597b06a5d05a38db89f67a7
Instruction ID: 56fe04179354a9468ba5b2a215ced2bf7bfdc26d14944b784429f443f99c4152
Opcode Fuzzy Hash: 0153473d3128d734829117a44b71a89d62282a638597b06a5d05a38db89f67a7
Instruction Fuzzy Hash: 0A4159347005058FCB44DF6EC498A6EBBE6FF88710B2584A9E506DB3B5CA71EC018B81

Function 017F2B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LR^q, xrefs: 017F2B35

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a5ceb0b4302e2f0f41be88e802586bbdba3690f0fdcd93ec204602575f71fc2b
Instruction ID: a259ea2fe62f4cda5ed1c1198b74d438822e057609c6344b374e1af09dfb6d4d
Opcode Fuzzy Hash: a5ceb0b4302e2f0f41be88e802586bbdba3690f0fdcd93ec204602575f71fc2b
Instruction Fuzzy Hash: B6310A707102058FC709DB36C46466E77A6EFC9A18B2081A8D14ACF3A8DE35DC03CB8A

Function 017F4237 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 017F4295

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ecab640cbe6d8b5f57a3e4036eac8c1b9a21c8e324b8e0f5b0260ad8f3b2b45b
Instruction ID: 8799a2bf6917ddb0ec00c44f94f10e4db3a6d017256c9e884be4c48a6f32ebbf
Opcode Fuzzy Hash: ecab640cbe6d8b5f57a3e4036eac8c1b9a21c8e324b8e0f5b0260ad8f3b2b45b
Instruction Fuzzy Hash: 8B2178357082515FD709E778A8101AE7BE3FFD651134848AED44ACF340DF245C0A8396

Function 017F1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e82a864e8b04c4558f50cdaeca4d66f2c55f9c04e8d0bb0e8442e495b87a68
Instruction ID: e2af622d61114058ccba30d738ed0bf9bce67e9df21902f48ff5c9df5a68f09a
Opcode Fuzzy Hash: e6e82a864e8b04c4558f50cdaeca4d66f2c55f9c04e8d0bb0e8442e495b87a68
Instruction Fuzzy Hash: 1382F6B8610219DBDB06DBA4D554B7E7BB7EB8C302F209054A905333A4CF3D6D91EB26

Function 017FAF90 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4938faeb3be4aa3e27a06289f779b2aeb4cc1e37de11c8a062bb7908be0ea9ad
Instruction ID: 4d39d1ba4bbd09db49344eeb18d45b038b24a68654f0f20280953628c846b788
Opcode Fuzzy Hash: 4938faeb3be4aa3e27a06289f779b2aeb4cc1e37de11c8a062bb7908be0ea9ad
Instruction Fuzzy Hash: D361B07190A3958FD707DB38D86019ABFB5EF97214B0945DBC185CF2A3EB249C09C7A2

Function 017FBB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a029f60d0bfe8d503cd00498c14d828168d9d1ad98ce9307f74306b6943252c
Instruction ID: 95d886c76bc21f4b924685fe60bdd161e3224e18d7e3c2cf018539ef65281c5e
Opcode Fuzzy Hash: 3a029f60d0bfe8d503cd00498c14d828168d9d1ad98ce9307f74306b6943252c
Instruction Fuzzy Hash: 19810470A01201CFD710DF28E68992ABBB6FB88705F55E56DD91A8B329D738EC49DF40

Function 017F38F2 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd70e6820edf6e886380bd9dac08d5969ce78375dc7b3161ca944306898e8d60
Instruction ID: 3d3ff91d4ed1961b8894347e60fb6f975da3a4c5fec34ad10eabea4a5a672a8f
Opcode Fuzzy Hash: cd70e6820edf6e886380bd9dac08d5969ce78375dc7b3161ca944306898e8d60
Instruction Fuzzy Hash: 6F51FA74B11219EFDB05DBA8D864AAEBBB6FF8C711F204058E505A7364CB399C41DB50

Function 017F5A91 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08629592cbcb662157dc029a2b9c74c7a4078418da7dc3ed60e2394ba844692b
Instruction ID: 90e993ffb36543468105365ffcba1632f9a63ba047ee4c79249618fcb883a123
Opcode Fuzzy Hash: 08629592cbcb662157dc029a2b9c74c7a4078418da7dc3ed60e2394ba844692b
Instruction Fuzzy Hash: 34511C74B006068FCB04DF69D594AAABBF6EF8D311B1141A9E60ADB365DB30DC05CBA1

Function 017F5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84f24221db2f96d3413a262b679dc617bb9be9034465717785411301b374641
Instruction ID: b09a8ac7786c7f7b6ee045559ce369210418f5fde903a392fea2897e21417269
Opcode Fuzzy Hash: c84f24221db2f96d3413a262b679dc617bb9be9034465717785411301b374641
Instruction Fuzzy Hash: AB513D74A002199FDB04DFA9D498AAEFBF2FF88311F248069E605A7365DB349C41CB91

Function 017F2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68afec02c2a320428a5bac14fafc7b2e7b0203931cdb598ba751fdc09d745f6
Instruction ID: e89bb72e7472d4619a0c21cab5c9d4d0528f633c4417c6daeee9e08bedcc559a
Opcode Fuzzy Hash: f68afec02c2a320428a5bac14fafc7b2e7b0203931cdb598ba751fdc09d745f6
Instruction Fuzzy Hash: C2410270A11208DFDB05EFA8D884AEEBBF6FF88301F145529DA06A7365EB349945CF50

Function 017FB0A0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9959820f23c4815e8d010de0841bc914cc94603ff4555fbe4f07ca9cea3390ff
Instruction ID: 5fa86f5607d3378d7837f2c1da0fd0fa8a10272ad942351534c8e89c9efd62cf
Opcode Fuzzy Hash: 9959820f23c4815e8d010de0841bc914cc94603ff4555fbe4f07ca9cea3390ff
Instruction Fuzzy Hash: D1312470A003098FCB04DB79D8406AEBFE6FFC9301F04896ED1199B3A5DB749C098B91

Function 017F2842 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbd2b75e839e0e4c98a741b5aaefc6189ac21092822ff3da84b69b7f35e0467
Instruction ID: 13568325073e96f9dbc26e734e820271de712fe20af61a8f09af4b098ab3c1db
Opcode Fuzzy Hash: dfbd2b75e839e0e4c98a741b5aaefc6189ac21092822ff3da84b69b7f35e0467
Instruction Fuzzy Hash: 7F316770E10208CFDB15DFA8D8846EEBBF6FF88301F144529DA02A7355EB349945CB20

Function 017F5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c33ad015bdee9af07d7b092329c50e1fde9b57a1bcdd8faa7e9816ec80fcfeb
Instruction ID: 87fdd0e642e2aae7582997f4179448857d37675cf73473b8986825bff8d33c85
Opcode Fuzzy Hash: 9c33ad015bdee9af07d7b092329c50e1fde9b57a1bcdd8faa7e9816ec80fcfeb
Instruction Fuzzy Hash: 5D411B74A00115DFDB05DFA5E498AAEBBB3FF88311F248069E905A7364DB349C42CF50

Function 017F2C48 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f78988a680117c3f917067ccd413977ea913ac487f9141597f36047fbeff303
Instruction ID: aa02e4495194501f2b3205c52992d15931325b526246bc496b002d083b7f0bab
Opcode Fuzzy Hash: 2f78988a680117c3f917067ccd413977ea913ac487f9141597f36047fbeff303
Instruction Fuzzy Hash: C1414BB4900209CFDB01DFA8D4946EEBBB5FF48311F145569D505A7364EB349D82CFA1

Function 017F2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00722913561c4e88f34d78290a8095d29bc5fe1fb055641255607e130efc867d
Instruction ID: fe02ec579de461e8c4451a664cd8ac8086365697be16681d7f603777c6b3ed27
Opcode Fuzzy Hash: 00722913561c4e88f34d78290a8095d29bc5fe1fb055641255607e130efc867d
Instruction Fuzzy Hash: A23119B4A00209CFDB05DFA8D494AEEBBB5FF88311F145528D505A7364EB389D82CFA1

Function 017F4B70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd892212c4dd62ace4fefe37d50a6f660370e4871dc37d7e967c236a57c9f193
Instruction ID: edd0296fc3515cfb4b545e8109bd90167941ad477355cb7f1624a562094682f0
Opcode Fuzzy Hash: fd892212c4dd62ace4fefe37d50a6f660370e4871dc37d7e967c236a57c9f193
Instruction Fuzzy Hash: CF212B302003529FCB05EB38E8406AE7BE7FFD1302B048E19E4098F265DF70AD4A8B91

Function 017FCEC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878357911ea4eaa8ce160aedd168f432c641368eff3e4f79c4a1190160ba3db6
Instruction ID: be02cdb4ec85b412edf6bbf6b4fc2b84bc75babc947412179b6d87cfc0483f2e
Opcode Fuzzy Hash: 878357911ea4eaa8ce160aedd168f432c641368eff3e4f79c4a1190160ba3db6
Instruction Fuzzy Hash: 1C2120B1C062489FCB16DFA9D548B9EFFF6AB49310F14806EE909A7780CB795944CF90

Function 017F4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209dea057b965df9976bdf8ceac362d7dd4747c21d1d1e57bdf4752300c9bc38
Instruction ID: cebe25b4b310ec3f35e02e4083ed0afc3c2b2edf0a944192bd328a94ab8ab8da
Opcode Fuzzy Hash: 209dea057b965df9976bdf8ceac362d7dd4747c21d1d1e57bdf4752300c9bc38
Instruction Fuzzy Hash: 6A2166702007169FD715EB79E840A6E77E6FBD4312B048E28E4098F264DF70AD4A4B95

Function 017FCED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddffe7ba96b06d74d6e0053270c4b3deb41cd6dfb671162060781be8505c1ee
Instruction ID: 66857e6ec86ca808d1bc12bab3470306dacec6a5188354d1ce59ae1186ffcead
Opcode Fuzzy Hash: fddffe7ba96b06d74d6e0053270c4b3deb41cd6dfb671162060781be8505c1ee
Instruction Fuzzy Hash: 29212471D05208DFCB15DFA8D548A9EFBF6EB48310F24806EE906A7740CB799905CF90

Function 017F5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a531d60261501266bb519d5a2b5f9174fe1379441ed22060e3be70e1bd633c
Instruction ID: 4643ac45919a5ec0a9c606ae71865ac893526947762aafcf3e17ff0d109e932a
Opcode Fuzzy Hash: 83a531d60261501266bb519d5a2b5f9174fe1379441ed22060e3be70e1bd633c
Instruction Fuzzy Hash: 12214D75A002198FDB10CBA9C594BDEBBF1BF4C314F2001A9E605BB361DB75AD84CBA0

Function 017F6888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c7869b9e09f8157411d0adb7a3ae7b962926a8b60db5519b724b3f669ac4cc
Instruction ID: 67de73ad157023af65a1086c01336581ccc97d0197ebe01e13e3d8c97ef54b43
Opcode Fuzzy Hash: 08c7869b9e09f8157411d0adb7a3ae7b962926a8b60db5519b724b3f669ac4cc
Instruction Fuzzy Hash: 78216A71900205CFDB14DBA4C9597EEFBF1EF46304F1180AEE205AB252DB758A45DB51

Function 017F5C5A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3e5395359ee3f3b4764429770f53b7f741e12ddabecb0164ff2b47bb2eac32
Instruction ID: 36d8325f73030cadedfe47dce48b71766efb4e4bf595919cce0af0be883aacac
Opcode Fuzzy Hash: ab3e5395359ee3f3b4764429770f53b7f741e12ddabecb0164ff2b47bb2eac32
Instruction Fuzzy Hash: EE218E70A002598FDB01CBA9C498BDEBBF1BF4D310F2401A9D501BB365CB75AD81CB60

Function 017F41A2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a766a8e64bdea4f2687e50b8f5575a52ae1cdf63ccd7f1f3c7ed98c74a5dda13
Instruction ID: e46ef74428a7576a0643cafc1df8a1ab4a2c6f162d2a8e6858155ee46a08411b
Opcode Fuzzy Hash: a766a8e64bdea4f2687e50b8f5575a52ae1cdf63ccd7f1f3c7ed98c74a5dda13
Instruction Fuzzy Hash: A60197307093965FC70AE7789C701AE3FEAEFC6520354489AE406CF381CF244D0687A6

Function 017F32E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d051f0adaa26ff6f2c8dd12fe199b84f6df16638ab24a91045304ec5053a4640
Instruction ID: e669a9ffac830f03b311e21f5bfda4003e5d949bbf2d07e828c0e94364dd8fe9
Opcode Fuzzy Hash: d051f0adaa26ff6f2c8dd12fe199b84f6df16638ab24a91045304ec5053a4640
Instruction Fuzzy Hash: 2A110034A111448BEB48EBB4E4687EEBBB6AB8C311F004429D60697399EF3D5845CB51

Function 017FC000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5818bf4cf98a3f338df274f882198d9527ccabd952373e4f4cda0eda14687227
Instruction ID: 490c080f4aefc3786563f28b9535dd8d2506e0dce9efea468030ed59b494201d
Opcode Fuzzy Hash: 5818bf4cf98a3f338df274f882198d9527ccabd952373e4f4cda0eda14687227
Instruction Fuzzy Hash: C01180303102658FCB41DF2CE894A99BBF5FF89716B104999E549CB776CB72AD05CB80

Function 017F2A80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52691e13a493cf1906bb35028089e3cfe655dce6aa08fb398f879cd37ed22ff
Instruction ID: 2494183d489b5cae181c26492d4565fb00d8b449209353dfc11e3e0eef63a516
Opcode Fuzzy Hash: d52691e13a493cf1906bb35028089e3cfe655dce6aa08fb398f879cd37ed22ff
Instruction Fuzzy Hash: 4F019A716147148FCB01EB78C40889BBBF1FF9661431189AAD14ACF365DB70EC048BC2

Function 017F5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8886a83f9fbba1489d0a5707e49e5822b0d25513700e9e474c7151dc04d7ad3d
Instruction ID: a3eecfe4999add26b29cf4583b17340679317401f00d0c6c59bd398958fbf26e
Opcode Fuzzy Hash: 8886a83f9fbba1489d0a5707e49e5822b0d25513700e9e474c7151dc04d7ad3d
Instruction Fuzzy Hash: A3018176301114CBCB04EE69E49486AF7EAFBCD661310453AE605C7310DA359C0187A0

Function 017F6388 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab173c39b094cc8701276062b85e7d9de24c770c981ef6eaf1c7fd56633a2c5
Instruction ID: 8964751c55445646829981abbcc839bfc86935d1e276859587bd0d08c79ccb39
Opcode Fuzzy Hash: 7ab173c39b094cc8701276062b85e7d9de24c770c981ef6eaf1c7fd56633a2c5
Instruction Fuzzy Hash: 05018F70905249EFCB00EFB8D891AADBFF1EFAA301B1449D9D5489B215DA306E01DB52

Function 017F5931 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898f2498e03f6321d31645ec0bd1c34d49edb8dece18616a1a191e5d82d59066
Instruction ID: 57acd9a815405a36b4e3bbf6b5c908aca59979424eced3469820cb7d3fddfec3
Opcode Fuzzy Hash: 898f2498e03f6321d31645ec0bd1c34d49edb8dece18616a1a191e5d82d59066
Instruction Fuzzy Hash: BB01A4313052508FCB06EF79D4A496ABBBAEFCF35031585AAE545CB365DA309C05C7A1

Function 017F32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f144eedfd9d7782f9b8567ae64506e15e03c7bd1a7f83b54a7d6012f8039152
Instruction ID: b6218674aac7f798b6232a9b9f773d4f86b85fe2f23a0879575c5dbfd93666d5
Opcode Fuzzy Hash: 8f144eedfd9d7782f9b8567ae64506e15e03c7bd1a7f83b54a7d6012f8039152
Instruction Fuzzy Hash: FF01ED34A111448BEB48EBB4E4687EEBBBAAB8C311F008428D60297399EF3D5845CB51

Function 017F2D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd16a5ba64e92cb6108095b785d86fa06522e026472290390ebd0329d7c81467
Instruction ID: 531c8efd51af911c714cb9fc1fddbc9a0eab9910e6926530cbc8f452989feca2
Opcode Fuzzy Hash: cd16a5ba64e92cb6108095b785d86fa06522e026472290390ebd0329d7c81467
Instruction Fuzzy Hash: C4F05834A10118CFCB98EFB8C0096EABBF4EB49304B1144AADA1AEB355DB3089118B91

Function 017F6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2db5a3864a98ebdf95a1aa0f0f23798d09a84538be6756e033ab503d9d42487
Instruction ID: 4f21760d6fcf8c3056a1867b9ec2ceb0cf17c011cc10f625a9d6ad2a60eb8c20
Opcode Fuzzy Hash: c2db5a3864a98ebdf95a1aa0f0f23798d09a84538be6756e033ab503d9d42487
Instruction Fuzzy Hash: 80F08C30A0120EEFCB40FFB8E8416ADBBF5EB98200F1041A89808A7350EA306E019B51

Function 017F1FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2088ed3912f509bda2e05a03a308855f48de5d769cd14dd1c702c535ee578e
Instruction ID: 19936891a8c1f53e9a91a4c9975f5fd92389b962b8890334ec8a53f80f157392
Opcode Fuzzy Hash: fe2088ed3912f509bda2e05a03a308855f48de5d769cd14dd1c702c535ee578e
Instruction Fuzzy Hash: 0BE09A357022804FCB06AB7990288DABFE5DF8721530508EFE046CB32AD9348C068721

Function 017FCFE0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4805b53915d9e03fb314f06063b655cc6cfae49fdd997b96d6e55ec264327cda
Instruction ID: fd2ccf25dc870389ab99906caf1b69c0d5466bbe9b866980688f621d19094dbd
Opcode Fuzzy Hash: 4805b53915d9e03fb314f06063b655cc6cfae49fdd997b96d6e55ec264327cda
Instruction Fuzzy Hash: C3E02B3140E3404FEB36529594043B27F60DB82254F05809EC84557FD5D6BE0089D700

Function 017F2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c09e0468e52219a34feecfc841b8fcfefc690a0455afead6c27a2fbae2375b
Instruction ID: 703e8056a2d42267ec7076da307ac01add5f456d25ea841530f307c662f48019
Opcode Fuzzy Hash: 34c09e0468e52219a34feecfc841b8fcfefc690a0455afead6c27a2fbae2375b
Instruction Fuzzy Hash: FDE0ED71E10119CF8B84EFBCD5056DE7BF5EF88210B2140BAD619E7355EB709D018B91

Function 017F66C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbc59c336035b57455aeb6d42175f6f00a7a51a471085055db5c815e4660b0e
Instruction ID: 30afdea1486930d725bb6f3487728d644d4ecb1e2d7ce78ed38c6005597154a2
Opcode Fuzzy Hash: fbbc59c336035b57455aeb6d42175f6f00a7a51a471085055db5c815e4660b0e
Instruction Fuzzy Hash: A5D05E2130E2E04FCF02236CB8241E96FEA9ECB62131911E7F581DB35BC9144C06A3A2

Function 017F6469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819390017a4696c2b844860ee53bc914e38d18890181f2f8ebf9bb345b369187
Instruction ID: 0dfb8d3a7b8b05da304a93c20a3325a134d442be933797815a0604fa5857b210
Opcode Fuzzy Hash: 819390017a4696c2b844860ee53bc914e38d18890181f2f8ebf9bb345b369187
Instruction Fuzzy Hash: D3E0C2702042408FC705CB68D0919543BB6EF9E30070406E5E048CB33ACA24DC03CB06

Function 017F5631 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b02316d49e5a25ca5e8ff3a26fe3a0f6ec243cf72f25232c7ad58798280d8de
Instruction ID: e5022864605abab99520be5024c221e279465e95db0fe3ed1ebdb70a0cc02598
Opcode Fuzzy Hash: 7b02316d49e5a25ca5e8ff3a26fe3a0f6ec243cf72f25232c7ad58798280d8de
Instruction Fuzzy Hash: 09D097341092815FD3034B6CDC225527FB8EF0721430806D0DE40CF202E932F4638340

Function 017F6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c3889bc22d2b726b91446cf619f8090e053e51d6f85cc36c6f4a09bc2c2aeb
Instruction ID: ad3d8e57fda1e7b108679102d6a0d8825203c41562d600f334e53f0488172ac2
Opcode Fuzzy Hash: 99c3889bc22d2b726b91446cf619f8090e053e51d6f85cc36c6f4a09bc2c2aeb
Instruction Fuzzy Hash: 8FC012743803088FC208EB6CE08582533EAEB8C71071044A9E90DCB335CE20FC838A18

Function 017FCAA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2905488130.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17f0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdbc281d1a20e74c399744775553909df10a209a8e5b0b0c2f91b8767659611
Instruction ID: ac682ed775bbeca55c8d15299cd617bb24a40e0a92a2e4db134a28a330977d20
Opcode Fuzzy Hash: 4cdbc281d1a20e74c399744775553909df10a209a8e5b0b0c2f91b8767659611
Instruction Fuzzy Hash: 94B012B29967C45EED02DFE09D893803F70E322202F140380E18C88AC1D79400138715

Analysis Process: Snetchball.exePID: 7368, Parent PID: 8100COMMON

Executed Functions

Function 00A84F58 Relevance: 11.9, Strings: 9, Instructions: 612COMMON

Download Yara Rule

Strings

(bq, xrefs: 00A85056
(bq, xrefs: 00A855A3
(bq, xrefs: 00A85655
(bq, xrefs: 00A851CD
(bq, xrefs: 00A851F9
(bq, xrefs: 00A8589B
(bq, xrefs: 00A8586F
(bq, xrefs: 00A855CF
(bq, xrefs: 00A85082

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: 2299a23dfb5fbd0577d83a3b27eb8916da8bf281c45fb2ec34bda7d743795457
Instruction ID: 2dc680034fb4755e5e7eff7de8899a28b4a6b603b9c654489bb459fd253fc1ba
Opcode Fuzzy Hash: 2299a23dfb5fbd0577d83a3b27eb8916da8bf281c45fb2ec34bda7d743795457
Instruction Fuzzy Hash: DE326F34F006149FCB09EF79D4546AEBBF2AF89311F248069D80AEB391DB349D46CB91

Function 00A8C060 Relevance: 11.4, Strings: 9, Instructions: 183COMMON

Download Yara Rule

Strings

kVr^, xrefs: 00A8C12A
K/, xrefs: 00A8C0C6
+Vr^, xrefs: 00A8C1F2
K., xrefs: 00A8C094
;Vr^, xrefs: 00A8C1C0
Ur^, xrefs: 00A8C2BA
KVr^, xrefs: 00A8C18E
[Vr^, xrefs: 00A8C15C
{Vr^, xrefs: 00A8C0F8

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: +Vr^$;Vr^$K.$K/$KVr^$[Vr^$kVr^${Vr^$Ur^
API String ID: 0-296965538
Opcode ID: d7b9c69ede450e34b0d42626e4f3e09a4b0e37bfe03be3e845d350b3c8081748
Instruction ID: 63d9b47d9b9c658d61a15f640d318046a617ae716cdb725ae4b0f4f7cc1f2a35
Opcode Fuzzy Hash: d7b9c69ede450e34b0d42626e4f3e09a4b0e37bfe03be3e845d350b3c8081748
Instruction Fuzzy Hash: 147109715007049BD356EB24C95059ABBE2FF94305314CE2E944E9FB65EFB2F94A8BC0

Function 00A8C070 Relevance: 11.4, Strings: 9, Instructions: 180COMMON

Download Yara Rule

Strings

kVr^, xrefs: 00A8C12A
K/, xrefs: 00A8C0C6
+Vr^, xrefs: 00A8C1F2
K., xrefs: 00A8C094
;Vr^, xrefs: 00A8C1C0
Ur^, xrefs: 00A8C2BA
KVr^, xrefs: 00A8C18E
[Vr^, xrefs: 00A8C15C
{Vr^, xrefs: 00A8C0F8

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: +Vr^$;Vr^$K.$K/$KVr^$[Vr^$kVr^${Vr^$Ur^
API String ID: 0-296965538
Opcode ID: 00cb46d525e528a12cdfd47cfc74656ecb9ddbad7db2991c238459ed3abc503c
Instruction ID: 565cba889e603a8aecb4fdcdc604a6fd2b94eeb5fc461e8fae270f722f7a8f96
Opcode Fuzzy Hash: 00cb46d525e528a12cdfd47cfc74656ecb9ddbad7db2991c238459ed3abc503c
Instruction Fuzzy Hash: EA71F7716007049BD356EB24C95059BBBE2FF843053548E2E944E5FB65EFB2FA4A8BC0

Function 00A83750 Relevance: 3.8, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

(bq, xrefs: 00A83786
(bq, xrefs: 00A83820
(bq, xrefs: 00A837B2

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 9b4847bd8a9a70b57f75c92e3d381755fcb7da7a2b82581aa33be4fef4bee05e
Instruction ID: 8e3699af32d7f02358acc0a0aa3a67cea03c68d4d4f377f5fa1718fb45216028
Opcode Fuzzy Hash: 9b4847bd8a9a70b57f75c92e3d381755fcb7da7a2b82581aa33be4fef4bee05e
Instruction Fuzzy Hash: 5811AA36B042A44FC31A6779641013F3BE79FCA261318846AE90ED7391DE288D0B8391

Function 00A8B0B0 Relevance: 3.2, Strings: 2, Instructions: 680COMMON

Download Yara Rule

Strings

er^, xrefs: 00A8B23E
D@v, xrefs: 00A8B742

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: D@v$er^
API String ID: 0-2969973443
Opcode ID: 7562e75b3d3296203b9611955695dadf0ff03b5d3b32b5a19c96132a3a455677
Instruction ID: 218f2c24ecd6b98ec44412f7bec5a2b9c195da2eb6a42b3161fab4df825c6e35
Opcode Fuzzy Hash: 7562e75b3d3296203b9611955695dadf0ff03b5d3b32b5a19c96132a3a455677
Instruction Fuzzy Hash: BB525838A12200CFC719FF34E558A6D7BB2FB84705B208569D40A9B3A6DB75EC86DF50

Function 00A83BE0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

(bq, xrefs: 00A83DE5
(bq, xrefs: 00A8419C

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 90f7eda6a0b99a77f6b9d47350ad1ea21bd14b699a201a9566a6135fb3dd274a
Instruction ID: 6ede3543ef78285cd8b8fe4b07f34d437ada8bbac472d2e398a9963a750f0a6e
Opcode Fuzzy Hash: 90f7eda6a0b99a77f6b9d47350ad1ea21bd14b699a201a9566a6135fb3dd274a
Instruction Fuzzy Hash: 3DF19274B002149FCB05EB79D854AAE7BE7AFC8301F148429E90AEB365DF349C46DB91

Function 00A81058 Relevance: 2.1, Strings: 1, Instructions: 835COMMON

Download Yara Rule

Strings

mv, xrefs: 00A81EBA

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: mv
API String ID: 0-2922995217
Opcode ID: 3860f4243135868715a42016324167d28b41be272668bafb4c1d3cb35414a25f
Instruction ID: bbd5cd69fe44e3cd7d533dc1460e29d002b77872b131865242a63b28b87d7d4c
Opcode Fuzzy Hash: 3860f4243135868715a42016324167d28b41be272668bafb4c1d3cb35414a25f
Instruction Fuzzy Hash: E88211B8600319DBDB06EBA4D554F6E7BB3EB88302F105414E905337A8CF396996EB35

Function 00A8385A Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

(bq, xrefs: 00A83BA1

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 8965386bb04a4fe2a53372c0087bd2bba2b61e343172a088b61bafb411e2cb8c
Instruction ID: df0cffb1375edab882bd3102dc1d652877a6930705f8e7efd1298af2b9072343
Opcode Fuzzy Hash: 8965386bb04a4fe2a53372c0087bd2bba2b61e343172a088b61bafb411e2cb8c
Instruction Fuzzy Hash: 44C14075B102289FCF05EBA8D854AAE7BF6AF8C701F104029E906A7365DF349D46DB90

Function 00A8C981 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

s@r^, xrefs: 00A8C95C

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: s@r^
API String ID: 0-4107684204
Opcode ID: d43d95b6fc070d8e38bccd6b072630f1d0e6403690fce1f0e70d2935ada48f85
Instruction ID: 57826337a4224b2bdf2c17c460a8fe2615a114e01347d8bb4c835d541cdd81f0
Opcode Fuzzy Hash: d43d95b6fc070d8e38bccd6b072630f1d0e6403690fce1f0e70d2935ada48f85
Instruction Fuzzy Hash: 1B418E729047009BD716EF75C40149ABBE2EF863153148EADD08A9F652EA31E90B8FD1

Function 00A8C798 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

s@r^, xrefs: 00A8C95C

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: s@r^
API String ID: 0-4107684204
Opcode ID: 332438a810eeba8e9ddc2a1328eacc60a10010e9eeb64d91d3dc614e4234c674
Instruction ID: 8ea9219a27f66e213b4668832ff7eb66a0a5d7d2b815294b6f4ec89189bc37f7
Opcode Fuzzy Hash: 332438a810eeba8e9ddc2a1328eacc60a10010e9eeb64d91d3dc614e4234c674
Instruction Fuzzy Hash: BD51F5716007049BD356EB24C84048ABBE2EF853163148E2ED44E9FB65EB75FA4A8FC0

Function 00A8BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00A8BF75

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 60701c3f07455c8cf538371e23d54a0ecb69a7ab7958a03a4c9ddca155d4d66c
Instruction ID: f0cbcf93d07fb88fff624b613f3e4512419fc864c8200e98bd4ce57a20b26d2c
Opcode Fuzzy Hash: 60701c3f07455c8cf538371e23d54a0ecb69a7ab7958a03a4c9ddca155d4d66c
Instruction Fuzzy Hash: 93415E347005048FC744EF6DC498A6EBBE6FF88710B2584A9E50ADB3B5DB71DC058B80

Function 00A82B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00A82B35

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b5fc8ba0c86adabde9af23f596d43403d2d1ad138bf860f15a2fffaccec2fe21
Instruction ID: c988de0259770950af345fc916374b05ef9868ef70c005cd75169f0159eda5df
Opcode Fuzzy Hash: b5fc8ba0c86adabde9af23f596d43403d2d1ad138bf860f15a2fffaccec2fe21
Instruction Fuzzy Hash: 5F311D307012058FD719AB35D45496E37B2EFC9A14720856DD08ACF3A8DE35DC47D78A

Function 00A8C352 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Ur^, xrefs: 00A8C2BA

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: Ur^
API String ID: 0-1807149779
Opcode ID: 8c82b66f66d92f98eb0af80d42baa38e3750b267a3cca5ca14661ed4474fac01
Instruction ID: 417607f3e28b43652180669b907b41ed45fba2c26df3313a6afa2b2441332855
Opcode Fuzzy Hash: 8c82b66f66d92f98eb0af80d42baa38e3750b267a3cca5ca14661ed4474fac01
Instruction Fuzzy Hash: F631C5726093455FD306DF38D86009ABBE1FF91319304996ED04ACF6A2EA31E807CBD1

Function 00A84237 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

(bq, xrefs: 00A84295

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: f7adead7973ac588c2af6c491b39038aea15a5b9b0896bd7debf3d82b6175156
Instruction ID: 8ecec0f329a1944cb4c0acf7aa8f6a7f915c9adbf32807fe9541920e56d827de
Opcode Fuzzy Hash: f7adead7973ac588c2af6c491b39038aea15a5b9b0896bd7debf3d82b6175156
Instruction Fuzzy Hash: D21125216082A04FC307977868642BE7FA3DFD2212748459ED8CA8B653DE68590BC781

Function 00A8AF95 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39e391d2ae4a175da84581ea73ffc48cd9fb3f195900e2e4c155c26d624778e
Instruction ID: 81bf607678ede34b170debea24833a2e4e976d435629115fb1f48ef8840aea20
Opcode Fuzzy Hash: e39e391d2ae4a175da84581ea73ffc48cd9fb3f195900e2e4c155c26d624778e
Instruction Fuzzy Hash: 1251F270A093908FD706EB38D9656C97FB1EF92309F04859BC1598F2B3DB74580AC7A6

Function 00A8BB99 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d14f7afcd0b3cf20819140defe4b6f941bddb0bf163ede480072e276d5a56d
Instruction ID: 66cd901a0d0c81825dd5fc3fdcb740768350519862420b6491b70beb95400b8f
Opcode Fuzzy Hash: 88d14f7afcd0b3cf20819140defe4b6f941bddb0bf163ede480072e276d5a56d
Instruction Fuzzy Hash: 8581F578A02211CFC712FB14EA99D597BF2FB40705B15E668D119AB239C770EC4AEF90

Function 00A85A91 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902f37ca1eafc25e77dd86cd7ce8ebedee09faee8ffb6665b0303239fcff9597
Instruction ID: 4f4cb2fab0c977ab4cb7c1384e473ee53e6e0a7806e86be285d184c4a44c34b0
Opcode Fuzzy Hash: 902f37ca1eafc25e77dd86cd7ce8ebedee09faee8ffb6665b0303239fcff9597
Instruction Fuzzy Hash: EB514C75B00615CFCB04EF69C5989AEBBF6EF88311B1140A9E90ADB366DB30DC05CB90

Function 00A85240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e750bd83c4bb400f1fd2922d2fdc886c8d808f038229558a8590a95c23301088
Instruction ID: 2e49b96ba0341b5224d0e42e318e8d04f170d565f837e6a3bd502896fee8574b
Opcode Fuzzy Hash: e750bd83c4bb400f1fd2922d2fdc886c8d808f038229558a8590a95c23301088
Instruction Fuzzy Hash: 8D511C30E00618DFCB08EFA5D594AEDBBF2FF88311F248069E805AB264DB309C45CB90

Function 00A82850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384acc01ff85fcdfaab000621004f959f81db6dc6f9fd44acd5f39c64dc83604
Instruction ID: 1d64aa86b8ff07ec906d7bd01731b23a5ce659d51f8cb0b2969d3726a0210be4
Opcode Fuzzy Hash: 384acc01ff85fcdfaab000621004f959f81db6dc6f9fd44acd5f39c64dc83604
Instruction Fuzzy Hash: AC413C74E10218CFCB18EFA4D884AEDBBB6FF88341F205929D905A7265DB309846CF50

Function 00A85308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f65df581d8145788127dfedab942b4ecc7c963fe10e34beb6df3a984dd6fdad
Instruction ID: 3b17e9c028ccc9a2d1fe55435098652725562cfa8849d9995b3efdc334ccf573
Opcode Fuzzy Hash: 5f65df581d8145788127dfedab942b4ecc7c963fe10e34beb6df3a984dd6fdad
Instruction Fuzzy Hash: E3410934E00518DFCB08EFA5E5949ADBBF2FF88311F209469E806A7364DB349D46DB90

Function 00A82842 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5c7d6609eb6bf4dd2ae967b40caaea976f183d9de6aefcd6803c8ac03c1b8f
Instruction ID: da52394f41211df165c70720165a6750cb89f238d2e06e2f28c0585aafc68946
Opcode Fuzzy Hash: 5a5c7d6609eb6bf4dd2ae967b40caaea976f183d9de6aefcd6803c8ac03c1b8f
Instruction Fuzzy Hash: C6317C70D10218CFDB19EFB4D484AEDBBB2FF88341F20492AE845AB255EB309946CB50

Function 00A82C48 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3546ab88e9a1c0d934cf41367dfd7ccd5a11b7360e33839e6c94643804fbaac3
Instruction ID: 56bd5a432293486d6c60fe18d92aaa90a5447fc1aa89726651fcd577abd267c4
Opcode Fuzzy Hash: 3546ab88e9a1c0d934cf41367dfd7ccd5a11b7360e33839e6c94643804fbaac3
Instruction Fuzzy Hash: CD411774900219CFDB05EFA8D8949EEBBB1FF48311F205969D806B7365DB30998ADF90

Function 00A84B50 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88f9cc52229dfb4ecbff711ffc6b4d50a905bc0abc4758ed0823679cb5dec14
Instruction ID: 35f95628f910c7ab3518a8d1607742c2ffa96b478e960c23f71b599d6f9eca98
Opcode Fuzzy Hash: f88f9cc52229dfb4ecbff711ffc6b4d50a905bc0abc4758ed0823679cb5dec14
Instruction Fuzzy Hash: 6721E9302043555FC706EB78D894AAE7FA3EFC13127044D59E88D8B266DB60AD4E8795

Function 00A8B0A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9fb1aee4c0cfaa1f4150ceb0b27317b87429b28a8f564e668ea7377a0513cc
Instruction ID: b5b30b8b48a304e527ce2f1249220969d0796df16483b1eb293e81f8329ca354
Opcode Fuzzy Hash: bc9fb1aee4c0cfaa1f4150ceb0b27317b87429b28a8f564e668ea7377a0513cc
Instruction Fuzzy Hash: 9C31F770A103189FD714EB78D85469DBBF6EFD5301F108529D01EAB3A5EF74AD0A8B90

Function 00A82C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c6325786667c2d170dadc806a7bf6976bff29ef0ec22bb2b81eb2afe28a0d0
Instruction ID: 63b4f16049f982e74652a2f6ad79f9a10c492f833bbbb813a74c6dce354f9cf8
Opcode Fuzzy Hash: 20c6325786667c2d170dadc806a7bf6976bff29ef0ec22bb2b81eb2afe28a0d0
Instruction Fuzzy Hash: 2B31E974900219CFDB05EFA8D8849EEBBB1FF48315F205529D906B7368DB30998ADF91

Function 00A8CEC0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364e2321482c350ac0fb9a58dc847352c7518f9f546a1dd9ac9064e381199638
Instruction ID: 0231f194343d2ab3ada8584fef669f53e2f42a43d42a14db631ba086ff3abaa1
Opcode Fuzzy Hash: 364e2321482c350ac0fb9a58dc847352c7518f9f546a1dd9ac9064e381199638
Instruction Fuzzy Hash: AD213570D00248DFEB14EFA8D549A9DBBF2EB48324F24802AE509A7290CB795D46CF60

Function 0076D0EC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2903976036.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_76d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15619b60baf97d5be479aa12b7a1ccba908ee3e037261507fac7ff4ec2dcdbf0
Instruction ID: 90a49e992ccb1841d8fd359f8782a7a4843dea4088cab67b378c49b5fac90433
Opcode Fuzzy Hash: 15619b60baf97d5be479aa12b7a1ccba908ee3e037261507fac7ff4ec2dcdbf0
Instruction Fuzzy Hash: D52126B0B142489FD728EF14C9C4B26BBA5EB95314F20C66DD90B4B341C37EDC06C661

Function 0076E1DC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2903976036.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_76d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb142ed1b7339bcc1549d23ab70226c42b4d386cf2943119447c43b52f567d1
Instruction ID: 673fc15d83d0e0db5b2dba3230e87ecb78a6723db09ca72288b45187b3bb00cb
Opcode Fuzzy Hash: abb142ed1b7339bcc1549d23ab70226c42b4d386cf2943119447c43b52f567d1
Instruction Fuzzy Hash: C92123B86046409FDB04DF24D5D4B26BBAAFB94314F30CA6CD90B4B381C33A9806C672

Function 00A84B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a13595ba147f3ba1578bc9889a96dbb4ab06fdae65cababe057a981f8ed618
Instruction ID: 1a99d2a633704dea503763dd5a164466c68d07091913b424102d1bfe9564744b
Opcode Fuzzy Hash: 60a13595ba147f3ba1578bc9889a96dbb4ab06fdae65cababe057a981f8ed618
Instruction Fuzzy Hash: E92199702007159FC705EB79E880A6EB7D7FBD4352B044E29F80D8B265DF70AD4A4B94

Function 00A8CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b3b222d0c6c7d6683d7fc3558c99b0e560ee3959198801f13ad57057af9fb7
Instruction ID: cf9f985456a701ac557601521f7b17f9aca87c55d7c34ab3cd02ba7ca8528a4c
Opcode Fuzzy Hash: 27b3b222d0c6c7d6683d7fc3558c99b0e560ee3959198801f13ad57057af9fb7
Instruction Fuzzy Hash: 0F21F770D00348DFDB15DFA8D548A9EBBF6EB88324F24845AE905A7350CB799D45CF90

Function 00A85C42 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2756ad70fa5e92177ab0fa9c03959bc279ad3359628fe56a080a050824df6f
Instruction ID: 6786a35908b99423866d58483f1246eac05c2f36b478dd850aa730d7a5f05f59
Opcode Fuzzy Hash: 1f2756ad70fa5e92177ab0fa9c03959bc279ad3359628fe56a080a050824df6f
Instruction Fuzzy Hash: 9D219070E042988FCB11DBB9C598AEDBFF1BF49310F2800A9D845BB2A2CB745D45CB60

Function 00A86888 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b08a28bad56bc2669b2dd23bfb15109a60c487de93b09e4c755d718a7297092
Instruction ID: 3f360fbf452e429fdf9f1db4f5da555ad98d2eac754d2d9f954fc0421e604966
Opcode Fuzzy Hash: 5b08a28bad56bc2669b2dd23bfb15109a60c487de93b09e4c755d718a7297092
Instruction Fuzzy Hash: 53214271D00205CFEB10EBA4CA497EEBBF5FF44305F14846AD405A7292DB759E45CB91

Function 00A85C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a9ed621071a537eff47795cd6c821fcc999582bcd8e7f12db08a7f34ef1675
Instruction ID: 8a08aba4cef54e8900a8432aa0c9a6b03ea7da66da7352b5f4d0d9ab05aafb45
Opcode Fuzzy Hash: b5a9ed621071a537eff47795cd6c821fcc999582bcd8e7f12db08a7f34ef1675
Instruction Fuzzy Hash: D4210675E002188FDB14DBA9D588ADDBBF2BF4C310F2040A5E905BB360DB75AD84CBA0

Function 00A841A2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312c4919071e52c4cb44577459d523bede41fd726c180e3492ddadf46a1f7508
Instruction ID: d6c26e0c3db6bfedc9508727fa7e11c6f3298c741f2a1d56d22ab9bf3fcda091
Opcode Fuzzy Hash: 312c4919071e52c4cb44577459d523bede41fd726c180e3492ddadf46a1f7508
Instruction Fuzzy Hash: E301F53170D3945FC70A677498A81BF7F6BDFC6211758049BE88ADB283CE254D0B8765

Function 0076D0E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2903976036.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_76d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction ID: a28e8bc9e35147a11608cdda1e3b7b895032554ec21fbddea21f0b1f24bafbf7
Opcode Fuzzy Hash: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction Fuzzy Hash: 8B1120B5A04284CFDB29DF10C5C4B15BBB1FB85314F24C6ADC84A4B692C33ADC0ACB52

Function 0076E1D7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2903976036.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_76d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction ID: 807e8c1ce6b9b37c7a3d063e15d60ea48bc2284faa2fd457088118709ea67d2b
Opcode Fuzzy Hash: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction Fuzzy Hash: CE11E0B9504680CFDB15DF24D5D4B25BFB2FB54314F24C6ADC84A4B692C33AD84ACB62

Function 00A832E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61bbea6dd06e50ac04497fbaf18a3f85c0f0cfc21c37a5cb7be5ec26d9ba5c6
Instruction ID: d7d957e70655d93f678030e3ac0f1fe14795a9c70187d62896fb66a10c0c4330
Opcode Fuzzy Hash: b61bbea6dd06e50ac04497fbaf18a3f85c0f0cfc21c37a5cb7be5ec26d9ba5c6
Instruction Fuzzy Hash: 4E112434E502549FCB49EFB4E5987ED7BB2EF88301F044869D48297242DF355816DB90

Function 00A8C000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f53a5fcf7632f95aebcd41947921714eb28455575b41f21acfc9274f2f777f
Instruction ID: 86b5451231b1a995074addb5803bd61ba549a2bea7fdd49852a4f5b0649118ee
Opcode Fuzzy Hash: 92f53a5fcf7632f95aebcd41947921714eb28455575b41f21acfc9274f2f777f
Instruction Fuzzy Hash: F81180343102258FCB01EF28E884D99BBF2FF85706B1049A8E509CB276CB71ED068B80

Function 00A85940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dc842d0b85f7b18adcab2b0ca5ab9d2263e557a1adc6d41f34a052acdf60e0
Instruction ID: dc6ba87a11cf1808d977b29bcff1fcd3c2d319b07f619c6eee0450d964b24226
Opcode Fuzzy Hash: 27dc842d0b85f7b18adcab2b0ca5ab9d2263e557a1adc6d41f34a052acdf60e0
Instruction Fuzzy Hash: 80013676700624CB8704AB69E49495EB7A6EFC96A5310457AE90AC7351CA71DC06C7A0

Function 00A82A80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16806b22f3fb91406e1025bc9749053f1b68d6442a6c3db3f69f36bfe928284e
Instruction ID: 229403a14d571effd52d2ce69f3d279a0ed431d0d28e50f4b3e18b62f094bc36
Opcode Fuzzy Hash: 16806b22f3fb91406e1025bc9749053f1b68d6442a6c3db3f69f36bfe928284e
Instruction Fuzzy Hash: 92019E746103408FC7129B3884195AABBE2FF8161532489AAD58ACB366DB70EC098BD1

Function 00A832F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4096ba38610b2cff8d8fdb393429117c27137bd366316337a5f35fd14c39d4
Instruction ID: 8f7300d1bd0fab044ecc703d3d430c9fd7fd16981b5bad4239d4c7f20c7ebb3d
Opcode Fuzzy Hash: 9e4096ba38610b2cff8d8fdb393429117c27137bd366316337a5f35fd14c39d4
Instruction Fuzzy Hash: AD010034E50354CBDB48EFB5E558BAD7BF2EB88301F004829E542A7342DF359855DB91

Function 00A86388 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c007d575a96b16133465ee7d2f3da70c5553a1f9dc7a56efbe5e071b99b14e
Instruction ID: 13915e653cb6bfb49cb476475f131849d52a533ef60de9acb89de2d2de494321
Opcode Fuzzy Hash: 88c007d575a96b16133465ee7d2f3da70c5553a1f9dc7a56efbe5e071b99b14e
Instruction Fuzzy Hash: 26F0A430D04388EFCB41EBB8A8555DDBFB1DF46201F1045E9D889A7252D6315E06DB41

Function 00A8593E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f0bd08b5d1a2c9f78bfa779853ac8dffa3157e971b8cdc95854f55a5ff58ab
Instruction ID: 87925abf525f1b9d850725011c0fee86ab4435305e2a77f341903ce065ec067c
Opcode Fuzzy Hash: f2f0bd08b5d1a2c9f78bfa779853ac8dffa3157e971b8cdc95854f55a5ff58ab
Instruction Fuzzy Hash: 6BF05435700210CFC7149B79E498D6DBBA6EFC9265324856EE94AC7321CB31DC06CB50

Function 00A841E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ccb81f2c6e9659ccbbafa8b052793a9245a90ffbb8ab1e4cc8f5e6078653f2
Instruction ID: 421373af9b1a3cc653074fe6b7389160e34479c6484b4ae20b369ee7d6137d73
Opcode Fuzzy Hash: 67ccb81f2c6e9659ccbbafa8b052793a9245a90ffbb8ab1e4cc8f5e6078653f2
Instruction Fuzzy Hash: F6E0E531704328AF8708A6A6A8959BFA69BEBC82A1754082AF80DD7341DF616D0547A9

Function 00A82D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eb4113a16a528c01c6365b9f06064a98590b6de2c58fb8682892cd8aa469e2
Instruction ID: 17323e64dfde1e89ba7f8b0b7e06eaaba8d470b87f5b1adb106f0e5f2247aea5
Opcode Fuzzy Hash: d5eb4113a16a528c01c6365b9f06064a98590b6de2c58fb8682892cd8aa469e2
Instruction Fuzzy Hash: CBF05E71A14168CFC744EFBC84556EE7FF0EF49314B2040A6D989E7222EA708A018B91

Function 00A81FF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc31d2b069d8660910331cd9b3ee1016345b08b7a0b34eba0d918a460553a721
Instruction ID: 5c73c8d2b71a7b06ea32422b4c9a20f0148e0457984272f1a217476e98a05c03
Opcode Fuzzy Hash: bc31d2b069d8660910331cd9b3ee1016345b08b7a0b34eba0d918a460553a721
Instruction Fuzzy Hash: 06E06D357452A05FC70597BDD46889A3FE9DF8A51530508EAF5C6CB322D924DC128791

Function 00A86398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398fcb67c286f3de828ecf2b91c060f4abfabfe361ddbf7f34c8dea20bed7836
Instruction ID: 9983c0be2056da35fc537c7aa3f1009817e18157211e8c4c6e50f2f344e93c33
Opcode Fuzzy Hash: 398fcb67c286f3de828ecf2b91c060f4abfabfe361ddbf7f34c8dea20bed7836
Instruction Fuzzy Hash: 0BF08230E0030CEF8B00EFA8E84569DBBF2EF88201F1045A9A84DA7251DB305F05DB41

Function 00A82DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9b37cb92f23c488bb2e9bcaf0a0550c433a3be649bcd64784f7fa65e6097bd
Instruction ID: 76df0df119709a788795250cdd51d1cd021caebbba1db9d4183e9d10d915ef1a
Opcode Fuzzy Hash: 6e9b37cb92f23c488bb2e9bcaf0a0550c433a3be649bcd64784f7fa65e6097bd
Instruction Fuzzy Hash: 00E0ED71E10118CF8B84EFBCD5056EE7BF5EF48311B2140AAE519E7311EB709E018B91

Function 00A8CFE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212d30fc680a4ca4eec57951949ed688c5394c951c0f350ea0bc63613fb5fc8f
Instruction ID: f562f49f2a244ba54163691928f45153d8eda55caf29ca1d20e4866b42f4ede6
Opcode Fuzzy Hash: 212d30fc680a4ca4eec57951949ed688c5394c951c0f350ea0bc63613fb5fc8f
Instruction Fuzzy Hash: 64E092398093909FEB125794A2143743F729BA2319F1980ABD48A4B6E1C7FD8C8ADB11

Function 00A8374E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77841766805e5c9e41a5654acbb9e1f79050fc694633dd8863b8f0174ce0b51
Instruction ID: 056c2d693324108cf5e6cd1d848c6e95e7cb502f9da3d8afe13850e07f5d1c9d
Opcode Fuzzy Hash: a77841766805e5c9e41a5654acbb9e1f79050fc694633dd8863b8f0174ce0b51
Instruction Fuzzy Hash: 9AE0C27BB001145B8B25A33AA8485FE27A79BC8AB13288429DD4DC3314FE648D0BD7D5

Function 00A837EC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90dd9bf92d55d1cdb4a0b2c146a57ed75f266f98bd1f34aeb2cb10602a5048e
Instruction ID: 569b96296025f30811377233355b8a543474fdc9ca7da734d8d650806483a2e0
Opcode Fuzzy Hash: d90dd9bf92d55d1cdb4a0b2c146a57ed75f266f98bd1f34aeb2cb10602a5048e
Instruction Fuzzy Hash: 57E02B337002102BE7195BAA78049BB7B9B9BC8324B18453FF909C7210DF618C025390

Function 00A8DD40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a735fe083bab8168349117d399c73f1e097ffbf8253a1f32852309c33ef8464
Instruction ID: a087d8bae5cdcf949b93e19269ff7b4ebbdd41ec964b3688b19c14667b5fd220
Opcode Fuzzy Hash: 3a735fe083bab8168349117d399c73f1e097ffbf8253a1f32852309c33ef8464
Instruction Fuzzy Hash: C4D05E36341A248F8761EBB8F54489AB3F8EF4966130045A6E90EC7B20CB71FC008BD0

Function 00A866C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ed0dddae1af3a8345a8561f452e943bfd119d2730beeef82c344f7d1985456
Instruction ID: 7b771c753cc7639d7b37d936ffdfb6911952a1a572542607a561502b1a65e404
Opcode Fuzzy Hash: 00ed0dddae1af3a8345a8561f452e943bfd119d2730beeef82c344f7d1985456
Instruction Fuzzy Hash: 79D0A7313052B05F864A16AC74940DA7BD6CECB15135905E7F985C7353CD644D076795

Function 00A86469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226e16fe1754d1e7941214aa5e7813531c71486448a5d33bf5f1d517d764fbdc
Instruction ID: 0027bf7f3c3dafb8820867698a86d82101118c43b265957895d285cbf6528dad
Opcode Fuzzy Hash: 226e16fe1754d1e7941214aa5e7813531c71486448a5d33bf5f1d517d764fbdc
Instruction Fuzzy Hash: ACE012756042404FC3459734D4D59A93F72EB5D21072405E5D8CAC7376D9219C47CB05

Function 00A86478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a611b452aff6a14fcf0f8ade87e104fa6b5a4aa3040f465558ffe2128fad2d5
Instruction ID: 107cbef0d5304cd77e8f306749580543720c66cefdb4a3e3d629640b2bd82d3e
Opcode Fuzzy Hash: 2a611b452aff6a14fcf0f8ade87e104fa6b5a4aa3040f465558ffe2128fad2d5
Instruction Fuzzy Hash: E0C012753403044F8204DB5CD080C1533E6AB8C71031004A5E94EC7336CE20FC828618

Function 00A8CAA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adec8c64b3d4162c94a5fa03b946fdff59478e082b3bbd63be438787036cd5bf
Instruction ID: 2b2b314c7a01fc9458be696a33c904028a2af2a73ffcdad05cb35adabc7615a7
Opcode Fuzzy Hash: adec8c64b3d4162c94a5fa03b946fdff59478e082b3bbd63be438787036cd5bf
Instruction Fuzzy Hash: B1C092ABDA59C09FF3029A4859D41C0B7F0FAA622A3D54093D400DA162E108AA038B24

Function 00A85640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2910226849.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a80000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf694c32de435e6132481029c1d96a3941fb6c10aaa47143c4673152248a89b
Instruction ID: 7ac219770a989c96606d7c2025d7bab25a1a8b52448df33b9ff30dc548b4824b
Opcode Fuzzy Hash: 9bf694c32de435e6132481029c1d96a3941fb6c10aaa47143c4673152248a89b
Instruction Fuzzy Hash: 92B02B3095070957C6001A25AC084113B1DEF4051534402A4AC0800101BD23D8200580

Analysis Process: Snetchball.exePID: 7024, Parent PID: 8100COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 0131E581 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0131E602

Memory Dump Source

Source File: 0000000C.00000002.2904096011.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_Snetchball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0510560b676244aba1269a5136d64ef661fb99f622c93f60f5e50307aa472387
Instruction ID: c064f2de8633f6185cb8466d25d3821e5aa4bd2dcbfb05b31d17c08a93dc11b4
Opcode Fuzzy Hash: 0510560b676244aba1269a5136d64ef661fb99f622c93f60f5e50307aa472387
Instruction Fuzzy Hash: 1D110E32A001148FCB0CDF6CE8A5B5ABBF9FBC9214B58422AE108C7361DB369C088B50

Function 0131E02F Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0131E602

Memory Dump Source

Source File: 0000000C.00000002.2904096011.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_Snetchball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7186cff6d98d2c7dca4cbc23ed055ef8c652a4f602cab3836d7c3fe79d660e5b
Instruction ID: 13bf0002937316a250c43caee7017a9002fbc6fd763c29e516d0cf14d83013e1
Opcode Fuzzy Hash: 7186cff6d98d2c7dca4cbc23ed055ef8c652a4f602cab3836d7c3fe79d660e5b
Instruction Fuzzy Hash: 48F06D717042189FC3089F6DD894DAB7BFAEBC9250350412AE609C7350DE369C0587A0

Function 0131E5A8 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0131E602

Memory Dump Source

Source File: 0000000C.00000002.2904096011.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1310000_Snetchball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d5507f83164b7c69d73db1a410726b15f8002517cd3fb38c48fba5d7e0f0681c
Instruction ID: 766bf9f2dd0ba72e9d1edada90394f3d97c638ded3faa8d1441fe9a880b5ee62
Opcode Fuzzy Hash: d5507f83164b7c69d73db1a410726b15f8002517cd3fb38c48fba5d7e0f0681c
Instruction Fuzzy Hash: C3F049717001189FC7089FADE894DAF7BFAFBC9261350412AE609C7350DE329C058BA0

Function 0128DA58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc77c25b21a47a020c3976b302a20f2b0a8ad56be0ba17ecd87086064f35f831
Instruction ID: 89917562a4d919f6d4fa6746aed884d2781aff388bc1e85a5d5ed3ff2500a10b
Opcode Fuzzy Hash: dc77c25b21a47a020c3976b302a20f2b0a8ad56be0ba17ecd87086064f35f831
Instruction Fuzzy Hash: CE2133B1654348DFCB05EF98D9C0B22BBA5FB84314F20C66CD90A4A2D2C376D80ACB61

Function 0128D6B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24738e86451f02898c3f642eeb7f90a694502aa875cd5625a8104f02b2a88cb2
Instruction ID: 198fff7fc3586df463324b7a411879f3cc0549f84553484e5c54112e1cac0303
Opcode Fuzzy Hash: 24738e86451f02898c3f642eeb7f90a694502aa875cd5625a8104f02b2a88cb2
Instruction Fuzzy Hash: E1212575615248DFDB09FF58D9C4B25BBA5FB84318F24C96DD90A0B2C2C376D80ACA61

Function 0128E5EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7707f64c4f8104b2c973e54975600fbb74095f2976e17bd2b6195d86c1493f
Instruction ID: 154d3108d15a141e10c43f2905f7eb66c9dcccca36c315ad94412757f3a846ae
Opcode Fuzzy Hash: 0e7707f64c4f8104b2c973e54975600fbb74095f2976e17bd2b6195d86c1493f
Instruction Fuzzy Hash: F32135B4625310DFDB05EF18C9C4B26BBA5FB94318F24CA6DD90A4B3D2C336D806CA61

Function 0128D0EC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b2c54c1a10e1c75fc4cc93148efea33b23bb33547768077f1cc37d5cf4c752
Instruction ID: 47e74113633a890937ed700fe17a3ea13175df1ba1cc45f3ac1f577b511a414c
Opcode Fuzzy Hash: e0b2c54c1a10e1c75fc4cc93148efea33b23bb33547768077f1cc37d5cf4c752
Instruction Fuzzy Hash: FB2138B06252489FDB05FF58D9C4B26BBA5FF84314F20C66CD50A4B3C2C33AD80AC661

Function 0128E1DC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d479b0a9c1696db4d038bd8d9fc0d46539db0606688dae183acde7752d32b8ec
Instruction ID: b8dca11a693ab80ae62d5b1ed540cae89f56dafd60851dfe666301ee294f93e4
Opcode Fuzzy Hash: d479b0a9c1696db4d038bd8d9fc0d46539db0606688dae183acde7752d32b8ec
Instruction Fuzzy Hash: D62157B06152409FDB05FF28D9C4F26BBA5FB94314F20CA6CD90A4B3C6C33AD806C662

Function 0128DA53 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bbd5f449214c7d39dbb700c697a355c3a95ed274533089a8626e0f65ef3888
Instruction ID: 3dd4c371d61d68f7f7952d76afdbf941c05519a05e04b84ecad2e6bb7391aa2e
Opcode Fuzzy Hash: 94bbd5f449214c7d39dbb700c697a355c3a95ed274533089a8626e0f65ef3888
Instruction Fuzzy Hash: 4E11BE76544284CFDB06DF54D5C4B15BFB2FB84314F24C6A9D9094B2A6C33AD81ACB61

Function 0128D6AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 6c2a69625fbcf48b6d730c6234d3f52075004bcafd7056a1283616b6091d62af
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 2011BB79544284CFDB06EF54D5C4B15BBB2FB84224F24C6A9D9494B692C33AD40ACBA2

Function 0128E5E7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a1c6b8ca02d24f4c768ec1c4bdd2b196b24458271389b604e7eed455e3e0b6
Instruction ID: d3f0556f39660b39123053bcce7cdd80d844be62f8f7a96d67568642725ea867
Opcode Fuzzy Hash: a3a1c6b8ca02d24f4c768ec1c4bdd2b196b24458271389b604e7eed455e3e0b6
Instruction Fuzzy Hash: 3511EF75504280CFDB06EF14C6C4B15BFA1FB84218F24C6ADD9094B692C33AD80ACB51

Function 0128D0E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction ID: e4efe8771cf9894e3e36b8781a0f4f7f2189f07f4d0bf2c5fb189d6d1a39712a
Opcode Fuzzy Hash: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction Fuzzy Hash: 1E110EB56042848FDB02EF18C5C4B15BBB1FF84214F24C6ADC9494B692C33A940ACB52

Function 0128E1D7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2902620854.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_128d000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction ID: 544e6e186ef74273e9e30ae8355ec7b11a73d98347fe1620d7b426f2ee51c0be
Opcode Fuzzy Hash: 1aa18848ffb83bc663edd403ef7310a8c1f3afcaf99fcd886547053968011f0e
Instruction Fuzzy Hash: 8011E0B5505280CFDB16EF28D5C4B25BFB2FB44314F24C6ADC9494B696C33AD84ACB52

Analysis Process: Snetchball.exePID: 4296, Parent PID: 5184COMMON

Executed Functions

Function 00FB4F58 Relevance: 11.8, Strings: 9, Instructions: 600COMMON

Download Yara Rule

Strings

(bq, xrefs: 00FB51F9
(bq, xrefs: 00FB55A3
(bq, xrefs: 00FB51CD
(bq, xrefs: 00FB55CF
(bq, xrefs: 00FB589B
(bq, xrefs: 00FB5056
(bq, xrefs: 00FB5655
(bq, xrefs: 00FB586F
(bq, xrefs: 00FB5082

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
API String ID: 0-1872187367
Opcode ID: c53602ad0adb01b8173144ed7e6b25d5c43e710ffb6a25852db051026b70dd96
Instruction ID: a7dd0d3441625e54e60dfc90c1fffb016cc3ad5ab459ad05a359a2875734aa32
Opcode Fuzzy Hash: c53602ad0adb01b8173144ed7e6b25d5c43e710ffb6a25852db051026b70dd96
Instruction Fuzzy Hash: D9328D34F006148FCB05EF69D8546AEBBF2AF89711F248069D806EB391DB389D46DF91

Function 00FB3860 Relevance: 4.4, Strings: 3, Instructions: 682COMMON

Download Yara Rule

Strings

(bq, xrefs: 00FB419C
(bq, xrefs: 00FB3BA1
(bq, xrefs: 00FB3DE5

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: df74f01e451f18d75295c81745e6b6675985e037567905ac5c6f57af66b3cceb
Instruction ID: 5504404e7b3938848cbf5576d47ae59c7ddef53586b91d8fd6b1fb46d012b9ed
Opcode Fuzzy Hash: df74f01e451f18d75295c81745e6b6675985e037567905ac5c6f57af66b3cceb
Instruction Fuzzy Hash: 8F428074B002149FCB05EB79D854AAE7BF7AF88301F148069E90AAB365DF349D42DB91

Function 00FB3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 00FB3786
(bq, xrefs: 00FB3820
(bq, xrefs: 00FB37B2

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 71b625df313a4ad380a8685c7272f6a2cb41952a20acd57ef1092d2d80c3727c
Instruction ID: 9639cca1b121cc3d9eee2f8222e0ac4eedc33bf0e513ec053f4d16597aabb6cd
Opcode Fuzzy Hash: 71b625df313a4ad380a8685c7272f6a2cb41952a20acd57ef1092d2d80c3727c
Instruction Fuzzy Hash: 74214B36B092944FC31A6779582017F3BE79FC63213584569E90AC73D1DE288D0793D2

Function 00FBBEAF Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00FBBF75

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 7f3ae73f38a89217e189d18696e3eb50165e117aa099f99327a01a41d306e1b1
Instruction ID: da1d71a475a33c3f470686cb574b54666a1d74764e0a122b653987ef642bd9ac
Opcode Fuzzy Hash: 7f3ae73f38a89217e189d18696e3eb50165e117aa099f99327a01a41d306e1b1
Instruction Fuzzy Hash: C14180347006048FC744DF6EC898A6EBBE6BF89710F2584A9E905DB3B6DB70DC058B80

Function 00FBBEC0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00FBBF75

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 71ad1209783cb330d03f0b6e3168ac182c833a89562980614a08ee1a848fc3d0
Instruction ID: d6cf9b59adc75521c4f1dbffc06f1392bcf70c7988a1c0ee4d1cf8a760312472
Opcode Fuzzy Hash: 71ad1209783cb330d03f0b6e3168ac182c833a89562980614a08ee1a848fc3d0
Instruction Fuzzy Hash: D3315E347006048FC744EF6EC898A6EBBE6BF88710B2584A9E506DB3B5CB71DD058B80

Function 00FB2B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00FB2B35

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 851129e68fbfabb0e2fe798c76e2c9f8369b198ab2b793a8b986d24086abebf2
Instruction ID: 8d0409cc8a5e179d676db1edae68774e64a87001fe29b70e83a3cab7b3245d98
Opcode Fuzzy Hash: 851129e68fbfabb0e2fe798c76e2c9f8369b198ab2b793a8b986d24086abebf2
Instruction Fuzzy Hash: 2F314B307152058FC709AB3AD45452E33B3EFC9A1872081B8D44ACF3A8DE359C43DB8A

Function 00FB2B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00FB2B35

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 467c5507f4dd96254cdfdfa333f780f070283106ff3f7ad855a7232718ef1aac
Instruction ID: 9b1c95e9f3b4d9740147251a223156872111f5d5c63887fc72914e9c136480e7
Opcode Fuzzy Hash: 467c5507f4dd96254cdfdfa333f780f070283106ff3f7ad855a7232718ef1aac
Instruction Fuzzy Hash: 833118317112058FD709EB3AC454A2E33A3EBC9A187208178D54ACF3A8DE35DC439B8A

Function 00FB4248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(bq, xrefs: 00FB4295

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: c5feb3eb103352e67efd2008a732f6791a81516d3a936bc3845208d713d9b3c6
Instruction ID: 037c0b3c5f3dd901398eaa429f3773a6d0debc203e6d1d0597db0ded872274d2
Opcode Fuzzy Hash: c5feb3eb103352e67efd2008a732f6791a81516d3a936bc3845208d713d9b3c6
Instruction Fuzzy Hash: E3016832B083900FD306977DA82417E7B93EFD2612348489EE846CF382CE289D0A97C5

Function 00FB1049 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a09b6c8290cd9d1b283d837df64bd2d568d14d1f470fd3e96a6d0dbcd145f5
Instruction ID: 758bd250646ef8edfdf2e6fa6f051883f8e055ac06186cd3738717f2a44d4010
Opcode Fuzzy Hash: 43a09b6c8290cd9d1b283d837df64bd2d568d14d1f470fd3e96a6d0dbcd145f5
Instruction Fuzzy Hash: CB827FB8605319DBDB06EBA4D551B6E7BB3EB88302F104414E94427798CF396DE1EB32

Function 00FB1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d23edc8afb841f4a31a105efece0b3276c39d8b762af5e67fafaf27ecdf7921
Instruction ID: 8cfe80bde820b2859ba49458ab83634d05fb421c2bedab6bd4216d14ce8488a3
Opcode Fuzzy Hash: 6d23edc8afb841f4a31a105efece0b3276c39d8b762af5e67fafaf27ecdf7921
Instruction Fuzzy Hash: 0B8280B8605319DBDB06EBA4D551B6E7BB3EB88302F104414E94427798CF396DE1EB32

Function 00FBB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29453a20e236e52590af9c48b0c34178e6650ad5dbc260789c31f0476a768ac4
Instruction ID: 3f06f2014aba2d806e5490509b052b2e1de8da0df3cf84a4b9df5aae4093de80
Opcode Fuzzy Hash: 29453a20e236e52590af9c48b0c34178e6650ad5dbc260789c31f0476a768ac4
Instruction Fuzzy Hash: 19527934A06204CFC715EF25E49996D7BB2FB84306B208568D81A9F365DFB5EC82DF81

Function 00FBBB99 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be4e2ecbd29528d21a41c88917e52b09b9fd0c5ae152763872dfe0ea046b111
Instruction ID: 7deaa7c035b8a3d3218c16f6a962d578c0caa05dcfd063588ba77c6cf7d0a3dd
Opcode Fuzzy Hash: 7be4e2ecbd29528d21a41c88917e52b09b9fd0c5ae152763872dfe0ea046b111
Instruction Fuzzy Hash: 38810878A16205CFC712EF24EACA9997BB2FB44306B14C568D5189F329C7B0EC95EF41

Function 00FB3841 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66d1839b21b9480a2afb49fac208b36ec4a1db1fa3cbe67eea16e88699b1df0
Instruction ID: c362f41b28e102899b22e4d406cc5397555212d8dc8f1cd98866bee3822087c2
Opcode Fuzzy Hash: a66d1839b21b9480a2afb49fac208b36ec4a1db1fa3cbe67eea16e88699b1df0
Instruction Fuzzy Hash: F8619D74B15218AFCB05EFA4E894AAE7BF2EF88311F204055E805A7365CB35AD51DF50

Function 00FB385B Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b499ceb346a49d649a611db3133ec27077aa97ad98245f7d7a1bb5303be3d3a
Instruction ID: 572e59372443c68e30917a0787802de642b45e1f98dfb2c683bcffea117e1449
Opcode Fuzzy Hash: 2b499ceb346a49d649a611db3133ec27077aa97ad98245f7d7a1bb5303be3d3a
Instruction Fuzzy Hash: F6612A74A11218EFCB05DFA5D894AADBBF2BF8C311F248025E805A7364DB35AD51DF50

Function 00FB3881 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50aea7a5c400c170e0c6608292a8d4b1e80278778c7d99c27085fa9b37f2785
Instruction ID: 1d390c636778dc3ae07ab9cda713ce4cf557ce88ac576f0f0f490a483945ca1b
Opcode Fuzzy Hash: f50aea7a5c400c170e0c6608292a8d4b1e80278778c7d99c27085fa9b37f2785
Instruction Fuzzy Hash: 89513A74B11218AFCB05EFA5E894AADBBF2BF88311F208015E805A7364DB34ED51DF50

Function 00FB5AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b56143494f40374db976090123ff1d2f650d94e448b24c16c84956a5a851f1
Instruction ID: c426701696a59a16279de65499df541b9616b3298a2aeb3f85db515f52eb9c10
Opcode Fuzzy Hash: 24b56143494f40374db976090123ff1d2f650d94e448b24c16c84956a5a851f1
Instruction Fuzzy Hash: 8A512875B006058FCB04EF69C994AAEBBF6FF88715B1140A8E509DB365DB34EC45CBA0

Function 00FB5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb3b5362d9a8d0f42fb51b800c4c1c6e330fd85056f233635dcbf2c92c36c44
Instruction ID: b50b59a50e095cf2fe43a879168628bef59bad3c25788f75ebc50851d70689f8
Opcode Fuzzy Hash: acb3b5362d9a8d0f42fb51b800c4c1c6e330fd85056f233635dcbf2c92c36c44
Instruction Fuzzy Hash: B2511A31A016189FCB14EFA6D494BEDB7F2BF88715F188469E405AB354DB349C81DF90

Function 00FB5A91 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230bf53753d4dbb71b1eeec5e44f04705750ebc35d778db4f271070f45dd5b40
Instruction ID: 50d0531b98800e2575e070cb4ce8538597ee91c14d151940a82bc1d5858c3019
Opcode Fuzzy Hash: 230bf53753d4dbb71b1eeec5e44f04705750ebc35d778db4f271070f45dd5b40
Instruction Fuzzy Hash: 03416FB5B006068FC704DF69C984AAABBF6FF88711B1141A9E509DB362DB34DC05CBA1

Function 00FB2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b9b2b27e85c431fb05a37e92401b2eb0f7b81c8ff8fe5463c15c19b407a553
Instruction ID: 9875bc2594029224476a8447dd27636ff84e8d098beddeaffc62e80e30df5a7d
Opcode Fuzzy Hash: 14b9b2b27e85c431fb05a37e92401b2eb0f7b81c8ff8fe5463c15c19b407a553
Instruction Fuzzy Hash: 6441F474E14308CFDB14EFA5D894AEDBBB6FF88311F204629D905AB254EB309895DF90

Function 00FB2A80 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ef13c83c123cd70f999ccef6b9218e64f7275aa79a56810c198d673c1d8405
Instruction ID: 827969c792df46d50f9934d38771cebbd04f884823a0f4bbfaf4142e578edc7a
Opcode Fuzzy Hash: 76ef13c83c123cd70f999ccef6b9218e64f7275aa79a56810c198d673c1d8405
Instruction Fuzzy Hash: AE318B74A10308CFCB11EFA9C44589EBBF1FF85716B208A6AD555AB326DB31A805CF91

Function 00FB2C48 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebc36d5a9a4d6adc81481597345efe48570d75e6e0188d54140d01d020516c4
Instruction ID: 7d5c9a9f6f1f45665b4caa4781a62bf5cd266a772e6c946993a8a6f0037eb37f
Opcode Fuzzy Hash: eebc36d5a9a4d6adc81481597345efe48570d75e6e0188d54140d01d020516c4
Instruction Fuzzy Hash: EB417A74E05209CFCB01EFA8E9825ED7BB2FF88315F104969E905AB358DB309991CF90

Function 00FB5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dcff7363f52b969a637eb4e4fb25ccc39fbb674992c33b4a25277afcac274f
Instruction ID: 822db91359a341c6644b03cad0e0fdf3435a4ff1fb5089b305a20911c74b8592
Opcode Fuzzy Hash: 69dcff7363f52b969a637eb4e4fb25ccc39fbb674992c33b4a25277afcac274f
Instruction Fuzzy Hash: 0A413D34A01514DFCB04EFA5E894AEDB7B2FF88711F248469E805AB364DB349C82DF90

Function 00FB2843 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f107e8e1910e3d6488e1a3d679eb7b4860afea3673992ca331859e228adc67
Instruction ID: bd88fd668e8d5f1d7f7d8bf74babbe976e9c4bdfdd59381d72c736ee5b246298
Opcode Fuzzy Hash: f4f107e8e1910e3d6488e1a3d679eb7b4860afea3673992ca331859e228adc67
Instruction Fuzzy Hash: 7E314A70D043088FDB15EFA5D4946EEBBF6FF88301F244A29D805AB254EB349995DF90

Function 00FBB0A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8192e67146caa6fb704bfee4b79321ae1251588e2df0b8e0a1b2597fbfafb8
Instruction ID: 069049c35f2c3fdd01381d6d075161ed4f6975eb6e6bcfef63561816f7679ca4
Opcode Fuzzy Hash: 7a8192e67146caa6fb704bfee4b79321ae1251588e2df0b8e0a1b2597fbfafb8
Instruction Fuzzy Hash: FE310570A003188FC705EB78DC9579EBBF6EF85312F108929D41A9B395DF716D068B91

Function 00FB2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f360299223e4ad589260c88a6ac391a0967033dd39b02dd0808548e4ec7cb76e
Instruction ID: 3dbf54cc3da6d913144d751430d4e43271bcb9a5bafd8c0f828faf4a935eb7eb
Opcode Fuzzy Hash: f360299223e4ad589260c88a6ac391a0967033dd39b02dd0808548e4ec7cb76e
Instruction Fuzzy Hash: 03312A74D05219CFDB05EFA8D5859EEBBB2FF48311F504928D905AB358DB309991CFA0

Function 00FB4B50 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714c595c9d3363e0f4fde8158ec27d66e4a6f5d3acb4e694573607dd5ec8a9a
Instruction ID: 2c638f36f001cbf892e9f2b2ae6df4b25a789127c1da6840c098ab716eee6fdc
Opcode Fuzzy Hash: 3714c595c9d3363e0f4fde8158ec27d66e4a6f5d3acb4e694573607dd5ec8a9a
Instruction Fuzzy Hash: 5A21EA712043515FC706EB78EC9166EBBE2EFC0303B048D5AE4098F295DF706D498B95

Function 00FB5698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fc8b37b221b7401dd44710695b4d34befdc3424b2504323a5f50638ddfdc52
Instruction ID: ae4a826ec061b46fc54c59b263ab1389a4a84c7b9d339cdacb190ddac57c7177
Opcode Fuzzy Hash: c6fc8b37b221b7401dd44710695b4d34befdc3424b2504323a5f50638ddfdc52
Instruction Fuzzy Hash: F9218770B016048FCB04DF6AD598AAEBBF6AF88B11B244069E906E7360DF74ED01CF50

Function 00FB288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449accbe3d1e4c45133bc98fcf995445e00e6e99594c291a86b6cae0cb30aec5
Instruction ID: 50ae6b7c98306e2bf931749a4a4ab9ff9d56c1eca1d7a0e55147fd6662822a59
Opcode Fuzzy Hash: 449accbe3d1e4c45133bc98fcf995445e00e6e99594c291a86b6cae0cb30aec5
Instruction Fuzzy Hash: 7F311370E043088FDB54EFA5E8946EDBBB2FF88351F20452AD806AB254EB345895DF60

Function 00FB4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62192ec37c9ef93b89e9df64c5a8f621d47fdc3fa20f31222983450200c1754
Instruction ID: 266819ad432b3e7f7508a7f23aa41da57129970826d2ab599c3891917f88d69e
Opcode Fuzzy Hash: e62192ec37c9ef93b89e9df64c5a8f621d47fdc3fa20f31222983450200c1754
Instruction Fuzzy Hash: ED21A1302043155FC705EB79E840A6EB7E6FFC0356B008E29E4098F255DF70AD898BD5

Function 00FB2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd17a84b76402895207f5147b8cd5b23a0b6d85168c69918a1a4e4bad89e16d
Instruction ID: 1f17220918c471e321803aeb7b4700bce44008bfb2f94f43375547a19b78212f
Opcode Fuzzy Hash: 5bd17a84b76402895207f5147b8cd5b23a0b6d85168c69918a1a4e4bad89e16d
Instruction Fuzzy Hash: 41215C70D00218CFDB14EFA9D8909EDBBF2FF88300F10862AD819AB258DB305855DF50

Function 00FB6888 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7263c48f84977ead5991ba775b0436160cfb20ab8ae71534a7d88db281d5bf6a
Instruction ID: 7082eb37ba221102db964671635dd4f92fe6e11924d96ca3c605c95a4506114d
Opcode Fuzzy Hash: 7263c48f84977ead5991ba775b0436160cfb20ab8ae71534a7d88db281d5bf6a
Instruction Fuzzy Hash: 42216A31D00209CFEB10DBA6CA097EEBBF1AF45715F10846AD405EB2A2DB798E45EF51

Function 00FB5C43 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff8cdfb8f8fe0c3c2f47f745356dcb5f10b0079bda0af66dc8feda4a2c3d017
Instruction ID: c16618826f5791f6252cb8692798eea335981aacc5338adea70f0b6a4584a50c
Opcode Fuzzy Hash: 5ff8cdfb8f8fe0c3c2f47f745356dcb5f10b0079bda0af66dc8feda4a2c3d017
Instruction Fuzzy Hash: 73217871A042488FCB11DBA9C5A8BDDBBF1AF4C310F1440AAD001BB2A1CB79AD44DB60

Function 00FB5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8426a7906f00382dae72e48649bc2a793938398b3cc8bf17a8f98be486a5af02
Instruction ID: 07e684c0716171fa652707ec7a6aeacde2eec1a57255d7f6b5d58727a5a9fadc
Opcode Fuzzy Hash: 8426a7906f00382dae72e48649bc2a793938398b3cc8bf17a8f98be486a5af02
Instruction Fuzzy Hash: 0A212775E002188FDB10DBAAD598BDDBBF1AF4C720F2401A5E505BB260DB75AD84DFA0

Function 00FB296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943c01c9cb3d3e74d68d50cfde85607f2f7ab0e6911e421c8ce2a27313b3ae06
Instruction ID: c555cbd5ee2097004a4eba873b2404aaba036f0cc65ffbd150cc5c6bd8d8d3c3
Opcode Fuzzy Hash: 943c01c9cb3d3e74d68d50cfde85607f2f7ab0e6911e421c8ce2a27313b3ae06
Instruction Fuzzy Hash: 4C21E574D013188FDB14EFA8D8819ADBBF2FF88301F204629E809AB264DB309D55DF50

Function 00FB66C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48f3a92bb2818d406c0816e4c5850d17602b24070cfb2121293efcfde8c4ddb
Instruction ID: 1fc307835757967101646458a742951e084d103f88e19ba1323cdb94045617d3
Opcode Fuzzy Hash: f48f3a92bb2818d406c0816e4c5850d17602b24070cfb2121293efcfde8c4ddb
Instruction Fuzzy Hash: 01014E33B052244BC7065B5DB4621EA7BA1EF853B131949BBE949DF343CE168C06ABD4

Function 00FB41A2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba71a890668402a8bf3f5c552461905cd25f4a37ea722230c57152f8512957a
Instruction ID: 3fbc7795bbd53e8f1af67ab7727016407f461e00b8e6411773979624429890b1
Opcode Fuzzy Hash: aba71a890668402a8bf3f5c552461905cd25f4a37ea722230c57152f8512957a
Instruction Fuzzy Hash: 9801473170D3855FC3076B749C3016E7FA7EFC621235884ABE805EB382CE250D0A87A6

Function 00FB5911 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583651f7fc0560ba89b5ac3628475e15cce873645d98e7f8269b852e9f762523
Instruction ID: 8cd29465d01f3963244aa6c8d0105f2260e80c5acb325584893ca243be3406bb
Opcode Fuzzy Hash: 583651f7fc0560ba89b5ac3628475e15cce873645d98e7f8269b852e9f762523
Instruction Fuzzy Hash: 1F01D47270A340CFC702AFB9D8659287BB19F9B36131980ABD445CB3A2CA358C05CBA1

Function 00FB32E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c587671d5d40538e0cd1810a72544ccaaaf2148efbb70a400df7eb0f5966c20
Instruction ID: 84758919bbaf0aa79ff62bc46f04eeccf373674a2c7a2346df147fab99cab286
Opcode Fuzzy Hash: 5c587671d5d40538e0cd1810a72544ccaaaf2148efbb70a400df7eb0f5966c20
Instruction Fuzzy Hash: EF117034E492448FCB05EBB4E95A7AD3FB2AF89301F08886AD4429B281CF384855CB81

Function 00FB5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b26e2b24d7ce7cb3c06a4508e58ef5dbfc5922e0918964735603a5a3cee58f
Instruction ID: 86a4a6589f1583ae71aee6944f9b3275dc5f5ddd0698708f54c0b3228656e3d0
Opcode Fuzzy Hash: e1b26e2b24d7ce7cb3c06a4508e58ef5dbfc5922e0918964735603a5a3cee58f
Instruction Fuzzy Hash: 020144767053148F8704AB6DE89892EB7E6EFC96A6310857EEA06C7350CE31DC15D7E0

Function 00FB32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278709fcef395a25c0b54281ed5db63e83c780777ad4c082a6fa755cc516acd4
Instruction ID: 86f9d1057f20ff423f9f40440106cc3592807bfb869c8764b0e2d0f14d988f2b
Opcode Fuzzy Hash: 278709fcef395a25c0b54281ed5db63e83c780777ad4c082a6fa755cc516acd4
Instruction Fuzzy Hash: 38012934E582049BDB44EBB9E5597BE7BB2BF89301F444829D9029B280DF395864DB90

Function 00FB2A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ab3c06ddcbd8f3136ad21787e6bc29694a0432fd8b5a9789f91dabff9e83f4
Instruction ID: 2e4d7e72291f57e50fcb32c284596859b214903ab5af040b370e0d99a78ebba9
Opcode Fuzzy Hash: c6ab3c06ddcbd8f3136ad21787e6bc29694a0432fd8b5a9789f91dabff9e83f4
Instruction Fuzzy Hash: 39F04B716207148FC710EB39C40989A7BE1FF84A557108969E14ACB715DB71EC088BD0

Function 00FB6388 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f37b418efad80c871a6ad1de0cc5bcfdf6b5b8b95ea614515ed952c7f051d63
Instruction ID: 81d3e432fb65ea220cacc8fdb062e6a13f99cea97b936465eb7f6113adfe9046
Opcode Fuzzy Hash: 2f37b418efad80c871a6ad1de0cc5bcfdf6b5b8b95ea614515ed952c7f051d63
Instruction Fuzzy Hash: D4F078349093889FCB01EBECD9554AD7FF1DF47311B1489C9D445AB292C9301E01EB92

Function 00FB4237 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500d362f13684379c406537f288d0b2eea7f7c603e45e9d2b80f32e65d8d8bc1
Instruction ID: 0a9db71fb522e6994aac8acdcef210dd6ad63738ee23f964f8593a84af931cd5
Opcode Fuzzy Hash: 500d362f13684379c406537f288d0b2eea7f7c603e45e9d2b80f32e65d8d8bc1
Instruction Fuzzy Hash: 35F027362042405FC3065B79AA502BD7BA3AFC0A1270C4C6AD8858F755CE306D8B9BC5

Function 00FB41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c209c840190afdb048d72d4e22b5994b7046f72988cd7c73bdde1be13eda58
Instruction ID: 19c7a8e14d67eeb5902076ce9b39a1a70b8fe6757b5ea9b45572d080f26d2aef
Opcode Fuzzy Hash: 02c209c840190afdb048d72d4e22b5994b7046f72988cd7c73bdde1be13eda58
Instruction Fuzzy Hash: 58E0E5317043182F9708A6AA6C5197FB6DAEFC82A57540829F909DB340DE212D0547A9

Function 00FB6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49afe3595aa12f221cd681104f0273897625b81d421fe06452adf61a50846ff2
Instruction ID: 9d79edb197ccfc7dac1de30ab92ce17a665b7d8579645455bbae3d5998af4d4e
Opcode Fuzzy Hash: 49afe3595aa12f221cd681104f0273897625b81d421fe06452adf61a50846ff2
Instruction Fuzzy Hash: F9F08274E0030CAFCB00EFA8D94159DBBF1DF44201F2045A8A908A7245DA301F459B91

Function 00FB2D93 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7825f98e04827c4dd6695b84b0a8bf243644646a3c63c7c7acd172748b94a4b
Instruction ID: d12f8059495c8867f7c81fcce1bee621f07aef84d44109113433ca54a32a6357
Opcode Fuzzy Hash: d7825f98e04827c4dd6695b84b0a8bf243644646a3c63c7c7acd172748b94a4b
Instruction Fuzzy Hash: E0F08231E141588FC754DFBCC4156DD7FF0EF89310B1044E5D549E7312DA3089118B91

Function 00FB1FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3289512d5471479ff5a2830a6cc390b66a80595eef27f5d445a5530142dc897a
Instruction ID: 9756fd3f2505c95210e1e2903f70b83a27e5e4c2bed41981cc0e15da5a94d33d
Opcode Fuzzy Hash: 3289512d5471479ff5a2830a6cc390b66a80595eef27f5d445a5530142dc897a
Instruction Fuzzy Hash: FFE0923978A3815FCB155779D4684697FE5EF8E21530504EBE186CB322CD24CC52C751

Function 00FB2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9772763d928220449b009f35891304b11033d8bb90dffcfe34e5bf70ac4422c2
Instruction ID: ac7dd3a417ae455e52e09bc23cedb914fd57b2791bd0e8a45cb64c04bf0a84a1
Opcode Fuzzy Hash: 9772763d928220449b009f35891304b11033d8bb90dffcfe34e5bf70ac4422c2
Instruction Fuzzy Hash: D7E0ED71E102188F8B84EFBDD5056DE7BF5EF88311B2140AAE619E7311EB709E119B91

Function 00FB2008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58524af25d5015a3d188ce2cd0e5e7d7f6b839494d04ce0c0ac3d966b8789074
Instruction ID: ebf07d2b88bb2912f9af8f8b4f5ad69bdc377a4aa64d11099e0186d5dc22352a
Opcode Fuzzy Hash: 58524af25d5015a3d188ce2cd0e5e7d7f6b839494d04ce0c0ac3d966b8789074
Instruction Fuzzy Hash: E3D012357402145FCB14567DD41885A77E9EFC9625311086AE50AC7320DD75DC1187A1

Function 00FB374E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dd4350238798cf3a840b31670fca150421108119243a7a2a48acd15312653c
Instruction ID: 39ef3fcecebd714fc458d5d3d30f58a26b873018cac01b6052c8fe9115fe138a
Opcode Fuzzy Hash: a9dd4350238798cf3a840b31670fca150421108119243a7a2a48acd15312653c
Instruction Fuzzy Hash: 98D0C27AB041148783155766B60427E22636BC427132C8426CD0DC3328EE308D476B83

Function 00FB6469 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c145afac38b207894c0e6cc0860171cdf7e66161423a4455dc0b689bce3145b
Instruction ID: 47e4183687e404a0883dd9382bf7eea84f35aebe9a18681f73fd0b409d308aab
Opcode Fuzzy Hash: 7c145afac38b207894c0e6cc0860171cdf7e66161423a4455dc0b689bce3145b
Instruction Fuzzy Hash: F4E0C2B4A84201DFC304DBA8C38181133B2EF8931030084E6E04DCB375D920DC828715

Function 00FB6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827daf19a12f47e45fe8d631152ecef54790102a78b5ff5ff36315e26182884d
Instruction ID: 96cc2e05f5c07e48eaf085ba01ade1f9c9883ae364ab9446ac0c24806da98284
Opcode Fuzzy Hash: 827daf19a12f47e45fe8d631152ecef54790102a78b5ff5ff36315e26182884d
Instruction Fuzzy Hash: C8C012747443044F8204DB5CD05181533E6BB8C71031004A5E60DCB335CD30FC828658

Function 00FB5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3217233452.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_fb0000_Snetchball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350a72eb202bd8ca118d3cc0ced1431d2ac9dc6b644fee9d37e74ae471b20b0e
Instruction ID: d550e70e4e594af6495a348d3de8d7bdd693a5b4a4da80bd82e99434e10d2f23
Opcode Fuzzy Hash: 350a72eb202bd8ca118d3cc0ced1431d2ac9dc6b644fee9d37e74ae471b20b0e
Instruction Fuzzy Hash: 64B02B3094470D5786000516FC09532372EEF415243400194AC0800100AD23CC2044C0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HDKuOe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

C:\Users\user\AppData\Local\Temp\nsa2FED.tmp

C:\Users\user\AppData\Local\Temp\nsn8E3B.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\INetC.dll

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\blowfish.dll

C:\Users\user\AppData\Local\Temp\nspFBF3.tmp\nsProcess.dll

C:\Users\user\AppData\Local\Temp\nsuFBC3.tmp

C:\Users\user\AppData\Local\Temp\setup.exe

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_0

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_1

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_2

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\data_3

C:\Users\user\AppData\Roaming\Snetchball\DawnCache\index

C:\Users\user\AppData\Roaming\Snetchball\Del.exe

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_0

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_1

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_2

C:\Users\user\AppData\Roaming\Snetchball\GPUCache\data_3

Windows Analysis Report
HDKuOe.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre