Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540231
MD5:	126619fbbb061d7f4e5a595068249ce8
SHA1:	97bce4d9b978f39b2695b4e3cd24b027f10de317
SHA256:	f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Contains functionality to automate explorer (e.g. start an application)

Contains functionalty to change the wallpaper

Creates HTML files with .exe extension (expired dropper behavior)

Found stalling execution ending in API Sleep call

Modifies the windows firewall

Sample is not signed and drops a device driver

Uses ipconfig to lookup or modify the Windows network settings

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1436 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 126619FBBB061D7F4E5A595068249CE8)

ClientRun.exe (PID: 6348 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe MD5: 7E0CE08C88A72A427FAFD2ED2EC81732)

SeetrolClient.exe (PID: 5776 cmdline: "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe" MD5: 4ED27CD391E16B0E256C76AFC1F986C3)

ipconfig.exe (PID: 5808 cmdline: "C:\Windows\System32\ipconfig.exe" /flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 1436, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T15:33:05.926446+0200	2020826	1	A Network Trojan was detected	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.291650+0200	2020826	1	A Network Trojan was detected	192.168.2.5	49710	139.150.75.206	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T15:33:05.926446+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.291650+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.599647+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.903650+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.208682+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.566755+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.878257+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.185434+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.491280+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.861115+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.198151+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.508979+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.857839+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:10.171532+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	139.150.75.206	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_01006205

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb source: ClientRun.exe, ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb$Pc source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\Seetrol_Clt\Release\screenhooks32.pdb source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb M<O source: ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: ~.pdb source: STClientChat.exe.0.dr, STClientChat.exe.1.dr
Source:	Binary string: SAS.pdbR source: sas.dll.0.dr, sas.dll.1.dr
Source:	Binary string: SAS.pdb source: sas.dll.0.dr, sas.dll.1.dr
Source:	Binary string: W+.pdb source: ClientRun.exe, 00000001.00000003.2090139584.0000000000578000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe.1.dr, SeetrolClient.exe.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_004015E0 SHGetSpecialFolderPathA,_memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,wsprintfA,RemoveDirectoryA,	1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_004023B0 _memset,FindFirstFileA,FindClose,	1_2_004023B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043A5C0 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,	3_2_0043A5C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00432AD0 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,FindNextFileA,FindClose,	3_2_00432AD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00435040 GetLogicalDrives,_memset,_memset,GetSystemDefaultLangID,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,GetDriveTypeA,SHGetFileInfo,_memset,_memset,_memset,_sprintf,FindFirstFileA,_sprintf,_memset,FindNextFileA,FindClose,	3_2_00435040
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00433470 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_memset,FindNextFileA,FindClose,	3_2_00433470
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00479646 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00479646
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0040BE90 _memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,FindNextFileA,_sprintf,FindNextFileA,FindClose,_sprintf,RemoveDirectoryA,	3_2_0040BE90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2020826 - Severity 1 - ET MALWARE Potential Dridex.Maldoc Minimal Executable Request : 192.168.2.5:49710 -> 139.150.75.206:80

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	File created: MirrInst32.exe.3.dr
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	File created: MirrInst64.exe.3.dr

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043D980 _sprintf,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,ShellExecuteW,

3_2_0043D980

Source: Joe Sandbox View

ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 139.150.75.206:80

Source: global traffic	HTTP traffic detected: GET /update4/SeetrolCenter.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update3/NetScan.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043E5D0 GetSystemDirectoryA,_sprintf,DeleteUrlCacheEntry,DeleteFileA,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,CreateDirectoryA,_sprintf,DeleteUrlCacheEntry,_sprintf,DeleteUrlCacheEntry,

3_2_0043E5D0

Source: global traffic	HTTP traffic detected: GET /update4/SeetrolCenter.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update3/NetScan.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.seetrol.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update3/MirrInst32.exe HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/MirrInst64.exe HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/Install.txt HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/Uninstall.txt HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/068/dfmirage.cat HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/068/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/068/dfmirage.inf HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/068/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/dfmirage.cat HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/dfmirage.inf HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/x64/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/x64/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/x86/dfmirage.dll HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com
Source: global traffic	HTTP traffic detected: GET /update3/105/x86/dfmirage.sys HTTP/1.1User-Agent: SeetrolClientHost: www.seetrol.com

Source: global traffic

DNS traffic detected: DNS query: www.seetrol.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 223Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 34 2f 53 65 65 74 72 6f 6c 43 65 6e 74 65 72 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update4/SeetrolCenter.exe was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 217Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4e 65 74 53 63 61 6e 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/NetScan.exe was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 220Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 33 32 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst32.exe was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 220Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 36 34 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst64.exe was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 217Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 49 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Install.txt was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:06 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 219Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 55 6e 69 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Uninstall.txt was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.cat was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.inf was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.sys was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.cat was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 222Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.inf was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.sys was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.dll was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Oct 2024 13:33:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33Content-Length: 226Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.sys was not found on this server.</p></body></html>

Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr	String found in binary or memory: http://www.seetrol.com/
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/flash.html
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/flash.htmlflash.htmlwww.seetrol.com901801701_01%s_%02d_
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/update3
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.cat4
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.cat_
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.inf
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/068/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.cat
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.catp
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/dfmirage.inf
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.dll~
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x64/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.dll
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.dll8
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3343445746.0000000009ED6000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.sys
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/105/x86/dfmirage.sysm
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/Install.txt
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/MirrInst32.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/MirrInst32.exe9
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/MirrInst64.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/MirrInst64.exe%
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/NetScan.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeNo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeVo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/NetScan.exeZo
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/Uninstall.txt
Source: SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update3/Uninstall.txt~GP
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/update3WINDOWS
Source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/update4
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.seetrol.com/update4%s:
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exe
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exe3V
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seetrol.com/update4/SeetrolCenter.exeh
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043F450 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_0043F450

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043F450 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_0043F450

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_004234C0 GetKeyState,InvalidateRect,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,InvalidateRect,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,

3_2_004234C0

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043A870 SystemParametersInfoW,CoInitialize,CoCreateInstance,CoUninitialize,		3_2_0043A870
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043A930 CoInitialize,CoCreateInstance,CoUninitialize,SystemParametersInfoW,		3_2_0043A930

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Code function: 1_2_004014C0 OpenSCManagerA,OpenServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,ControlService,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_004014C0

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0040F4B0 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32FirstW,ProcessIdToSessionId,Process32NextW,LoadLibraryW,GetProcAddress,74591930,_memset,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,74AE7ED0,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

3_2_0040F4B0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01002251 ExitWindowsEx,	0_2_01002251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	0_2_010019C3
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0044DC60 IsUserAnAdmin,Sleep,ExitWindowsEx,	3_2_0044DC60
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: ShellExecuteW, shutdown	3_2_0043BE60
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0044DE20 ExitWindowsEx,InitiateSystemShutdownExW,KillTimer,KillTimer,KillTimer,Sleep,	3_2_0044DE20

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

File created: C:\Program Files (x86)\seetrol\client\068\dfmirage.sys

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

File deleted: C:\Windows\Prefetch\cadrespri.7db

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008D30	0_2_01008D30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009548	0_2_01009548
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009982	0_2_01009982
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010086B0	0_2_010086B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010089C7	0_2_010089C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010090EF	0_2_010090EF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_0040BB82	1_2_0040BB82
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043B0F0	3_2_0043B0F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043FE80	3_2_0043FE80
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0044BFE0	3_2_0044BFE0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00402150	3_2_00402150
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004C8267	3_2_004C8267
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004303F0	3_2_004303F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00410420	3_2_00410420
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004C6EB0	3_2_004C6EB0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004E6FD0	3_2_004E6FD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004012F0	3_2_004012F0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00401359	3_2_00401359
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00401510	3_2_00401510
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004DF8C0	3_2_004DF8C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0042B900	3_2_0042B900
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043DA60	3_2_0043DA60

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: String function: 004B0CD8 appears 54 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: String function: 004B0BB1 appears 58 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: String function: 004ABC43 appears 81 times
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: String function: 00461613 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: String function: 00404CB8 appears 34 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1819553 bytes, 8 files, at 0x2c +A "ClientRun.exe" +A "Seetrol_Clt.exe", ID 11004, number 1, 60 datablocks, 0x1503 compression
Source: SeetrolClient.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: STClientChat.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.1.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.1.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM)
Source: STClientChat.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: STClientChat.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: SeetrolClient.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: file.exe, 00000000.00000003.2082710319.00000000005EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTClientChat.exe: vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE t) vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9926522970530998
Source: Seetrol_Clt.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9892071759259259
Source: STClientChat.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.993204455596107
Source: STClientChat.exe.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.993204455596107
Source: Seetrol_Clt.exe.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9892071759259259

Source: classification engine

Classification label: mal76.rans.evad.winEXE@8/32@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100456A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA,

0_2_0100456A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	0_2_010019C3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_00401210 AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,AdjustTokenPrivileges,GetLastError,	1_2_00401210
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043C0C0 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,GetLastError,AdjustTokenPrivileges,GetLastError,	3_2_0043C0C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043CE80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_0043CE80
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0040F4B0 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32FirstW,ProcessIdToSessionId,Process32NextW,LoadLibraryW,GetProcAddress,74591930,_memset,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,74AE7ED0,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_2_0040F4B0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01006A45 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv,

0_2_01006A45

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CloseServiceHandle,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		3_2_0040DB70
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,Sleep,Sleep,ShellExecuteW,Sleep,CloseServiceHandle,		3_2_0040FF60

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Code function: 1_2_00401000 CreateToolhelp32Snapshot,Process32First,Process32Next,NetWkstaGetInfo,CloseHandle,

1_2_00401000

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_00441C20 CoInitialize,CoCreateInstance,OutputDebugStringW,CoTaskMemFree,PropVariantClear,CoUninitialize,

3_2_00441C20

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01005190 GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_01005190

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0040DB70 IsUserAnAdmin,GetSystemMetrics,_memset,_memset,OpenSCManagerW,CloseServiceHandle,CreateServiceW,GetLastError,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0040DB70

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

File created: C:\Program Files (x86)\seetrol

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_KHClient_APP_2345_5432_

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Command line argument: file.exe	1_2_00401C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Command line argument: file.exe	1_2_00401C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Command line argument: file	1_2_00401C10
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Command line argument: @KL	3_2_004C4A90

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SeetrolClient.exe

String found in binary or memory: %s/Install.txt

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Window detected: Number of UI elements: 18

Source: file.exe

Static file information: File size 1886528 > 1048576

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1c1a00

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb source: SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb source: ClientRun.exe, ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolClient\Release\SeetrolClient.pdb$Pc source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\Seetrol_Clt\Release\screenhooks32.pdb source: ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr
Source:	Binary string: D:\7MyProject\KHProject_VS2008\Seetrol_My\SeetrolPackage\ClientRun\Release\ClientRun.pdb M<O source: ClientRun.exe, 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: ~.pdb source: STClientChat.exe.0.dr, STClientChat.exe.1.dr
Source:	Binary string: SAS.pdbR source: sas.dll.0.dr, sas.dll.1.dr
Source:	Binary string: SAS.pdb source: sas.dll.0.dr, sas.dll.1.dr
Source:	Binary string: W+.pdb source: ClientRun.exe, 00000001.00000003.2090139584.0000000000578000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe.1.dr, SeetrolClient.exe.0.dr

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_01006205

Source: sthooks.dll.0.dr	Static PE information: section name: .shared
Source: sthooks.dll.1.dr	Static PE information: section name: .shared

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_00404CFD push ecx; ret	1_2_00404D10
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004B0C89 push ecx; ret	3_2_004B0C9C
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004B0D1D push ecx; ret	3_2_004B0D30
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004473EC push cs; retf	3_2_004473EF

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	File created: C:\Program Files (x86)\seetrol\client\068\dfmirage.sys	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	File created: C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	File created: C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys	Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043D980 _sprintf,Sleep,_sprintf,DeleteUrlCacheEntry,URLDownloadToFileA,ShellExecuteW,

3_2_0043D980

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\sthooks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\sas.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\STUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	File created: C:\Program Files (x86)\seetrol\client\STClientChat.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010026E2 LocalFree,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,

0_2_010026E2

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Jump to behavior

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

3_2_0040DB70

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004429A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,SetRect,GetClientRect,	3_2_004429A0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043E1B0 IsIconic,	3_2_0043E1B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0045E632 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	3_2_0045E632

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Stalling execution: Execution stalls by calling Sleep

graph_3-49354

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Window / User API: threadDelayed 1423			Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Window / User API: threadDelayed 756			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\sthooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\STUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\sas.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Dropped PE file which has not been started: C:\Program Files (x86)\seetrol\client\STClientChat.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_1-6719
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_3-48852

Source: C:\Users\user\Desktop\file.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-3350

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

API coverage: 8.0 %

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe TID: 4436

Thread sleep time: -42690s >= -30000s

Jump to behavior

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Thread sleep count: Count: 1423 delay: -30

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_004015E0 SHGetSpecialFolderPathA,_memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,wsprintfA,RemoveDirectoryA,	1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_004023B0 _memset,FindFirstFileA,FindClose,	1_2_004023B0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0043A5C0 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,	3_2_0043A5C0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00432AD0 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,FindNextFileA,FindClose,	3_2_00432AD0
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00435040 GetLogicalDrives,_memset,_memset,GetSystemDefaultLangID,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,SHGetSpecialFolderPathA,SHGetFileInfo,_memset,GetDriveTypeA,SHGetFileInfo,_memset,_memset,_memset,_sprintf,FindFirstFileA,_sprintf,_memset,FindNextFileA,FindClose,	3_2_00435040
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00433470 _memset,_sprintf,FindFirstFileA,_sprintf,_sprintf,_memset,FindNextFileA,FindClose,	3_2_00433470
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_00479646 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00479646
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_0040BE90 _memset,_memset,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,__splitpath_s,FindNextFileA,_sprintf,FindNextFileA,FindClose,_sprintf,RemoveDirectoryA,	3_2_0040BE90

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010052D4 lstrcpyA,lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA,

0_2_010052D4

Source: ClientRun.exe, 00000001.00000003.2093776662.0000000000550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\R
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3343445746.0000000009ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ClientRun.exe, 00000001.00000003.2093776662.0000000000550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWss32

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	API call chain: ExitProcess graph end node	graph_1-6804
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	API call chain: ExitProcess graph end node	graph_1-7987
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	API call chain: ExitProcess graph end node	graph_1-7037
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	API call chain: ExitProcess graph end node	graph_3-49545

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Code function: 1_2_00402478 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00402478

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Code function: 1_2_004012C0 _memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Sleep,OpenProcess,GetLastError,TerminateProcess,CloseHandle,Sleep,OutputDebugStringA,Process32Next,CloseHandle,LookupPrivilegeValueA,CloseHandle,

1_2_004012C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_01006205

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Code function: 1_2_0040D2F5 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_0040D2F5

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010064DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_010064DE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_00402478 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00402478
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_00404407 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00404407
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_0040DF1E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040DF1E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: 1_2_0040818B SetUnhandledExceptionFilter,	1_2_0040818B
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004AB071 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_004AB071
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: 3_2_004AD4AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_004AD4AC

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0044BFE0 GetModuleFileNameA,SetCurrentDirectoryA,Sleep,SetThreadExecutionState,GetSystemMenu,AppendMenuW,AppendMenuW,AppendMenuW,AppendMenuW,AppendMenuW,DeleteFileW,DeleteFileW,DeleteFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,Sleep,ShellExecuteW,SendMessageW,SendMessageW,SendMessageW,SetTimer,LoadImageA,LoadImageW,GetClientRect,KiUserCallbackDispatcher,GetWindowRect,GetWindowRect,GetWindowRect,SetRect,SetRect,SetRect,RtlInitializeCriticalSection,GetSystemMetrics,SetTimer,SetTimer,SetTimer,SetTimer,SendMessageW,KillTimer,SetTimer,SetTimer,Sleep,Sleep,Sleep,Sleep,SetTimer,SendMessageW,SetTimer,SendMessageW,KillTimer,SetTimer,SetTimer,Sleep,Sleep,Sleep,Sleep,Sleep,SendMessageW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,Sleep,Sleep,Sleep,Sleep,Sleep,SetTimer,SendMessageW,SendMessageW,SendMessageW,LoadIconW,SetTimer,SetTimer,FindWindowW,FindWindowExW,GetWindowRect,SendMessageW,SetTimer,

3_2_0044BFE0

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_0043D150 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

3_2_0043D150

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Process created: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"			Jump to behavior
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\System32\ipconfig.exe" /flushdns			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01001760 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_01001760

Source: SeetrolClient.exe	Binary or memory string: Shell_TrayWnd
Source: SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: Cstop.animation.%dTray.{47BCDAC1-2E6F-4f9a-9A3F-68A3B97CE33E}ToolbarWindow32SysPagerTrayNotifyWndShell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	Code function: GetLocaleInfoA,		1_2_0040CB1D
Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	Code function: GetLocaleInfoA,		3_2_004DC8BB

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_00441940 CreateNamedPipeW,DisconnectNamedPipe,ConnectNamedPipe,GetLastError,ReadFile,PostMessageW,CloseHandle,__endthread,

3_2_00441940

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0100646B

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_004BF1FE __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,GetLastError,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,SetOaNoCache,__invoke_watson,

3_2_004BF1FE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100488C GetVersionExA,MessageBeep,MessageBoxA,

0_2_0100488C

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Jump to behavior

Source: C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Code function: 3_2_00434450 CreateDirectoryW,socket,setsockopt,setsockopt,closesocket,setsockopt,htons,bind,closesocket,listen,closesocket,

3_2_00434450

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	24 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	32 Windows Service	11 Access Token Manipulation	21 Obfuscated Files or Information	Security Account Manager	15 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	32 Windows Service	11 Software Packing	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 DLL Side-Loading	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\seetrol\client\STClientChat.exe	4%	ReversingLabs
C:\Program Files (x86)\seetrol\client\STUpdate.exe	7%	ReversingLabs
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	4%	ReversingLabs
C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe	4%	ReversingLabs
C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	2%	ReversingLabs
C:\Program Files (x86)\seetrol\client\sas.dll	0%	ReversingLabs
C:\Program Files (x86)\seetrol\client\sthooks.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.seetrol.com	139.150.75.206	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.seetrol.com/update3/NetScan.exe	true		unknown
http://www.seetrol.com/update4/SeetrolCenter.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.seetrol.com/update3/MirrInst32.exe	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/Install.txt	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x86/dfmirage.sys	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3343445746.0000000009ED6000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/MirrInst64.exe%	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/068/dfmirage.cat_	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x64/dfmirage.dll	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x64/dfmirage.dll~	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/flash.html	SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3WINDOWS	SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3/NetScan.exeVo	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/NetScan.exeZo	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	false	URL Reputation: safe	unknown
http://www.seetrol.com/flash.htmlflash.htmlwww.seetrol.com901801701_01%s_%02d_	SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3/MirrInst64.exe	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/Uninstall.txt	SeetrolClient.exe, 00000003.00000002.3342362857.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/dfmirage.catp	SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/068/dfmirage.sys	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/	ClientRun.exe, 00000001.00000003.2091014380.0000000000579000.00000004.00000020.00020000.00000000.sdmp, sthooks.dll.1.dr, sthooks.dll.0.dr	false		unknown
http://www.seetrol.com/update3/105/dfmirage.inf	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/MirrInst32.exe9	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/rpa00	file.exe, SeetrolMyService.exe.1.dr, STClientChat.exe.0.dr, Seetrol_Clt.exe.0.dr, STUpdate.exe.1.dr, STClientChat.exe.1.dr, sthooks.dll.1.dr, SeetrolClient.exe.1.dr, ClientRun.exe.0.dr, SeetrolMyService.exe.0.dr, STUpdate.exe.0.dr, Seetrol_Clt.exe.1.dr, sthooks.dll.0.dr, SeetrolClient.exe.0.dr	false	URL Reputation: safe	unknown
http://www.seetrol.com/update3/NetScan.exeNo	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update4/SeetrolCenter.exeh	SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update4	SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3/068/dfmirage.inf	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/dfmirage.cat	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x86/dfmirage.dll8	SeetrolClient.exe, 00000003.00000002.3342362857.0000000001100000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x86/dfmirage.sysm	SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/Uninstall.txt~GP	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3	SeetrolClient.exe, SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3/068/dfmirage.cat4	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update4%s:	SeetrolClient.exe, 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp	false		unknown
http://www.seetrol.com/update3/105/x64/dfmirage.sys	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/068/dfmirage.dll	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update3/105/x86/dfmirage.dll	SeetrolClient.exe, 00000003.00000002.3342362857.000000000111E000.00000004.00000020.00020000.00000000.sdmp, SeetrolClient.exe, 00000003.00000002.3342362857.00000000010D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.seetrol.com/update4/SeetrolCenter.exe3V	SeetrolClient.exe, 00000003.00000002.3342362857.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
139.150.75.206	www.seetrol.com	Korea Republic of		3786	LGDACOMLGDACOMCorporationKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540231
Start date and time:	2024-10-23 15:32:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.rans.evad.winEXE@8/32@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 130 Number of non-executed functions: 242
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
09:33:03	API Interceptor	4x Sleep call for process: SeetrolClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.150.75.206	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	www.seetrol.com/update3/105/x86/dfmirage.sys
139.150.75.206	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	www.seetrol.com/update3/105/x86/dfmirage.sys

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.seetrol.com	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	139.150.75.206
	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	139.150.75.206
	jnet-04.exe	Get hash	malicious	Unknown	Browse	45.115.155.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LGDACOMLGDACOMCorporationKR	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	139.150.75.206
	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse	139.150.75.206
	General terms and conditions of sale - Valid from 10202024 to 12312024.exe	Get hash	malicious	FormBook	Browse	121.254.178.239
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	61.249.26.53
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	106.245.118.30
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	58.73.233.110
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	106.246.91.248
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	164.124.63.190
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	106.249.137.190
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	211.169.100.6

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\seetrol\client\sas.dll	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe	Get hash	malicious	Unknown	Browse
	3vS3F5eukR.exe	Get hash	malicious	Unknown	Browse
	3vS3F5eukR.exe	Get hash	malicious	Unknown	Browse
	eWIIsxIoe5.exe	Get hash	malicious	Unknown	Browse
	eWIIsxIoe5.exe	Get hash	malicious	Unknown	Browse
	Agent_Install.exe	Get hash	malicious	Jupyter	Browse
	Agent_Install.exe	Get hash	malicious	Jupyter	Browse
	sEcCIwFKPc.exe	Get hash	malicious	Unknown	Browse
	sEcCIwFKPc.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\seetrol\client\068\dfmirage.cat

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.194844030122028
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAz7GxKCezocKqD:J0+oxBeRmR9etdzRxtuez1T
MD5:	9AADCF47731C2F426457D0EFD977A4CB
SHA1:	F8D07BF01B082575A184A100958EF750C395B2F4
SHA-256:	507CE5FA25869FFB01DD896244F496E25574A4B628A99A6173E22A1885F160AA
SHA-512:	B49B071CFD83555E556A2F4C7221608DA98F742E0AED3D2A97FA93775447DE2D64118638BFFB0B8F956DEED7A01D0C1374BC4CBC36B6B9F89201CE4DD227492B
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/068/dfmirage.cat was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\068\dfmirage.dll

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.179718169746383
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAz7BHo0CezocKqD:J0+oxBeRmR9etdzRxtFIFez1T
MD5:	B00A567E64C14D7E9A6E8A15806BE7EC
SHA1:	C081307C18B29820DAB8EE1A21829B1D344AF812
SHA-256:	4E0D583EEF483D50ED10F7B5245785E7D6A94652500414947C73955457454584
SHA-512:	0060E2E58AA2EE3B2859AA82AFF57C8B8EF67BFF02719DA540242B3CEE6B6DA569C0904254B4538EF77D768D0E3B5312FF771449FC0E6AD80A9A121A3DCDED7C
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/068/dfmirage.dll was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\068\dfmirage.inf

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.189085644313831
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAz7sCezocKqD:J0+oxBeRmR9etdzRxthez1T
MD5:	0D95D50FB6D3F0959AD3E98FDB3974B6
SHA1:	A5D33AB5A02D694137A67BC6E7290FAF5FBC73C2
SHA-256:	30BD47D2338EC2438B2D5E695DA448773F6498DE62F294F8A20006958B4E662E
SHA-512:	06C36FE75A9444B89C1550C464AFF9C8C49632AA1F32658CC34E57F5C60F4E5C158EA1B63A31714628DBC11B64C91F618E6DD49EB7C4686D9D7ACC6BC7385435
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/068/dfmirage.inf was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\068\dfmirage.sys

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.18908564431383
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAz7WnCezocKqD:J0+oxBeRmR9etdzRxtqCez1T
MD5:	AA0FD58284D976F531956709362D2489
SHA1:	8182C6FD9A5E5AF19465EEF6D2ED05DD54DC1627
SHA-256:	25B845936D2BA35449BF46B4DD1D0BF81E14B1D36CCC46AE809696AD7E0EF9AB
SHA-512:	2BFB4ED452EA73A0A4691243829C189240E0A073755374673F549DC8EA5561EE305CC793F94C406CEFFFE0B5EB5AC709D4A8D58C0BA4731E7EBBFD8A0B7241EF
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/068/dfmirage.sys was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\dfmirage.cat

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.182434626959131
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAH1GxKCezocKqD:J0+oxBeRmR9etdzRxWez1T
MD5:	27A735248796F4992E55026FA0B54A05
SHA1:	59CE159E8AC8DAB11E907C677C0CD4C00E9C196C
SHA-256:	D574FBF4C6C5B5BF64BBE12829AAECDE1DCE1C0D2EAE2BC6FF1003B312721ABD
SHA-512:	0B884562B25B059BE55FF7E8F32846D701A3894217DB8BD53CFB6A05BBA50D271FA3976B288EFA79909C402F5D50359F79E9BDE5DAD1DFDA77FD0F403C2D4E51
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/dfmirage.cat was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\dfmirage.inf

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	222
Entropy (8bit):	5.176676241150933
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAH1sCezocKqD:J0+oxBeRmR9etdzRxpez1T
MD5:	0F328FA61B0CF1FCED70262036B753CF
SHA1:	948132478869DFC1E1D48B1735D800D3F60FD1D8
SHA-256:	9916B39620D38071A599084DE36B29B858F5FD540C2A1F4FFFBC42E02FC8CB87
SHA-512:	792B3F5EB3B2F2137F0683FE40B104E5D45750CAC7BE66DF5F528D4B704A98CF466F613AAF5022045675E1231F375AC50C03A53CBCE930C64E570873C125619F
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/dfmirage.inf was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.dll

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.203500622962866
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAH41BHo0CezocKqD:J0+oxBeRmR9etdzRxKLIFez1T
MD5:	E8A067D8355DAF9E0294BAB9DE3B3B0C
SHA1:	DACBB0EE8B5A4E9DEBAA4530F18C6829FFB4C673
SHA-256:	670159ACF71E94785D30F91797B62BE4F92932C8F8E0A30932A115BF541398ED
SHA-512:	2DD63173C78F6A8C9AA90252107698D2AC7FA819DE3233916AF46050E3B29261A4280F72E9A947100E4C78EFB54F9342C22EE0D31B8D3B85C47F8AA9BF707210
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/x64/dfmirage.dll was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.2127023015202685
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAH41WnCezocKqD:J0+oxBeRmR9etdzRxKMCez1T
MD5:	F3A9F0320B19E083826EFD7AFB6AFF4D
SHA1:	EE7604C318BB97A6BDD2EB67A2D574B9CFE86F9B
SHA-256:	8A3069C83AFDBBEFFCE8315CF000FE3799B49587EF6BA4B47C5F1F7FBF28ADE4
SHA-512:	BE73338DDF22ABF1A434579DA063D30AF1B6B8804C74E56A705EE2ABE6D35825AE14A96F398A0E9D1604266EBD0069AFC5E3BB9811FB1885BB17335B514BA8A3
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/x64/dfmirage.sys was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.dll

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.215690390671554
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAHI1BHo0CezocKqD:J0+oxBeRmR9etdzRx6LIFez1T
MD5:	7BC670536D8DD955141E6644E0EC4285
SHA1:	696E68870B1761D669810E836607C577578C91AE
SHA-256:	BCD7878F2DF67843C79BB04433203F97DE865A9F143F55CBBAA9E61E529D0B98
SHA-512:	8D88843E335C3FBD4E6C0451001737A150B666DCEC61923D3097B2BB8AC418CF416C52D9C64D2BCC87F8FA14A4DFC8088E7BEA38A06FA492D7DD650FB9B944A4
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/x86/dfmirage.dll was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.224892069228956
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAHI1WnCezocKqD:J0+oxBeRmR9etdzRx6MCez1T
MD5:	C88EAE1587E1B9C9207CB87C1FBB304B
SHA1:	2456A28D5AE19118FFD8696FD0C984B7A6C1FFD1
SHA-256:	1B2AE40AC826D52A56DA8FB7568E62DD536E9FD70D73EFC676747CC724A19065
SHA-512:	50D961F1A36626585FCF5CB144F09BA40872A1E297A857287554D31B25B1F0E1849F08FFD7A7FA05AF20AF5B779EF98A182CC4991770B0F669BA4FF723D2A043
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/105/x86/dfmirage.sys was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\Install.cmd

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.123206785177216
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eADM8KCezocKqD:J0+oxBeRmR9etdzRxqOez1T
MD5:	2CB21B93AD17E8D4DEF74287BFE6DB7C
SHA1:	89862563F16EE49D2894CC525E11FBF2D3DB01EC
SHA-256:	090758864AC99368D4F2495C018E30EDFC6045573CBFC58AD119819A6D8039B8
SHA-512:	B7935F085A8DA09F7D1497F67172D66A4DBBBED5BD6777DB8B1FD7B384A196E46B508D62985576AE1F759DC3C94F6D319EB052034572B155A0AB5B882F712C1A
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/Install.txt was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\MirrInst32.exe

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	220
Entropy (8bit):	5.1549487658744955
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAdX0CezocKqD:J0+oxBeRmR9etdzRxbXFez1T
MD5:	F886FCA19E85A5E8A69FE38723C62A19
SHA1:	25C9E008415ECEB7DDB382A3348EB24123B9C1B6
SHA-256:	D853ADB3198D913AE4A434EEDDDEB1965117C9646BD799504C4F3AF0610589DB
SHA-512:	F149BCD30B90B062D2B1EA9E692C93DE93A6528074653FD9EC0FFFFFBCBE95AE99BD01D53C4AF444FA3BEFD737C5180F25277FA0605D1DF95E8EECDDAD183D67
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/MirrInst32.exe was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\MirrInst64.exe

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	220
Entropy (8bit):	5.160608368137388
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eAr9CezocKqD:J0+oxBeRmR9etdzRxR4ez1T
MD5:	BA42E888340B4EE3357D9FA5B46175DE
SHA1:	FF01FB0D13BA88494CBDDCC1ECA500FCFFFB42E1
SHA-256:	5BC88BC097046B0ABA6D5118611C5232902FF83B3004D371413E74C233B4C89A
SHA-512:	9E38067AA1D3CDA0517E8565D3AA47243544A7BD87AA7C8254C3329A73141A071B54D40279FAA8D1DE2B243479643E6E321724E4FC730742E65C9690E0EB2145
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/MirrInst64.exe was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\STClientChat.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	641856
Entropy (8bit):	7.9235995247217605
Encrypted:	false
SSDEEP:	12288:2EHbGzlWov167SMEURqpg2ShLILcDk101c+n0KNyI9XWd1O:37GIovMOxURqpg2SqwDZ/0Iz9Xa1O
MD5:	B73B47A1F3C3CFF2D23BF2ACB88C8E8B
SHA1:	E11DE756E0313D039B2961B54F41DC64A1D420CB
SHA-256:	B51AE253C7A37D4A6F4C820991D60FC6D903E201FD1BEEDF8C7D599D99538E60
SHA-512:	CA8433BECCC1520B2A59B697273A75DF7A0CA63830B7A9D002A6E86CBCE7D562A6DF2F0F083A5F611383914C40D91001ABF317F44E9533E900353CE96E9BFF11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................6...........x................................Rich...........................PE..L....0Z..................... ...@..`....P........@.......................... ......-.....@.............................................................@...............................................H.......................@...................UPX0.....@..............................UPX1.........P......................@....rsrc.... ..........................@..............................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Program Files (x86)\seetrol\client\STUpdate.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	55616
Entropy (8bit):	7.754993903267388
Encrypted:	false
SSDEEP:	1536:L1qMWAugeDJd3k4gZqFQ6EbsP86o1T9CQxMKiVDMZF3xX/+:L1q933k4SThsPY1TlxMKiVDMZJxP+
MD5:	3A7FCD42779050C2FC8CDF860BEFAC3F
SHA1:	88A9AFC3A812540AA77AA697C3213847496E9F40
SHA-256:	D46CACC5B081FFCB42CC4F2816696D179A3F03FF89D7791F09EA04789A38D4A8
SHA-512:	3FBA1A929FF5B3BC8D3119925D713CCE985CE7456B1ACC0BAE971FE393893C1FF903C16D0CEB3AC4F1297F33A5FC51F738E0347EDE685F7379C3302E0669ED8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8(..\|Iz.\|Iz.\|Iz.....}Iz.u1..QIz.u1..hIz.u1...Iz.[...kIz.\|I{..Iz.u1..zIz.b...}Iz.u1..}Iz.Rich\|Iz.........PE..L...-..].............................h.......p....@..................................i....@..................................w.......p..................@...........................................\j..H...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Program Files (x86)\seetrol\client\SeetrolClient.cfg

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	data
Category:	dropped
Size (bytes):	332
Entropy (8bit):	7.354117077505842
Encrypted:	false
SSDEEP:	6:sB465OtShYAe6EuizGYBQz0AMd0jzMO3BAOSCaWKLfso4ba8fKkGfsY5qllHb8xO:sV50SiAvsGYUA/LEfzfODqlJtV
MD5:	01A61C6CA71036C53D648EFF7EACCBE0
SHA1:	597E814E43894EF37C0D9DE110F7EFB633599494
SHA-256:	AA8180874108706BE03D59749800DC1E4EFE6556BDC1B7B0E35244234F0E125B
SHA-512:	8BC63FFB7AA7E0BC1B6A438F0AA44A36C1DD0557A27F31D773C7A49572E608BC536A3D1BDE4A0FA79A4A5111A881136C0496E76653AB142F02313F75AB660816
Malicious:	false
Preview:	..D.].!...V...{.B6$.....lx.z.........e..Q..{.!"..7.......a...!....Y.F..`$sbz...^.-.T..Q........C..`.>?.....U.?.c.....,3.......j..jf.8..3..I.]y....`..{y.b.P&.g?2h..I.v....q6.)&(..7.....eh"OMM.i].y..0R...3/]...o.d."V".....j.[@..`..,.{.....%.N.....T.E....O.....5zr..6...........d.({....#.(......9........}V...?.!........

C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	727360
Entropy (8bit):	7.922843421551964
Encrypted:	false
SSDEEP:	12288:8oGodNaQOlkhlyA++SIq3knBHU0sZe/AYiyjXE9Fow4tCQSZ8EGd39OqfpeHvxuW:nGovOChlyA+7kB00sZgAYiiX2L0EGdTA
MD5:	4ED27CD391E16B0E256C76AFC1F986C3
SHA1:	E0D705F87F5B5334A81D18126B18A9A39F8B6D5E
SHA-256:	2096A5E42C046C360C7CD646309A0E7DBBAAED00E84E242166108464B7B0CA22
SHA-512:	7E9208D6782FA8ED08C4B896F314A535A5E38D18C4B66A2813698007D0EFEEA8014EF4C0BF4C139457C826D05EAE4FD241C2DB419A761B709F4F118BF0F9D1B6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3.h.`.h.`.h.`.']`.h.`.K.`.h.`...`.h.`...`.h.`...`.h.`.h.`.k.`..^`.h.`..H`zh.`.:O`.h.`..O`fh.`.:_`.h.`..Z`.h.`Rich.h.`................PE..L......_.....................@...@'.`!2..P'..02...@..........................p2.....8:........}.............................0^2......02.0...............@...................................................................\.#.@...................UPX0.....@'.............................UPX1.........P'.....................@....rsrc....@...02..4..................@......................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	47936
Entropy (8bit):	7.773937293943447
Encrypted:	false
SSDEEP:	768:Z3C+8XBSshN/DPBM0HJKYk2xol3GykKd+rnxhFUjRjIjBOe24aPIrIRPkvX/V:xL8XMsrTe0pZkQI+KdSLAjA24aPXPkvd
MD5:	3F366E339EFAE375EC4F74CA3735CD91
SHA1:	B9E19C1C8EC2FC7329B5DB148E7550E172810AD9
SHA-256:	C10728F8CE75BB510F207380C4E8ED2F0F3F54D83E70DEC018104914ACD29F4D
SHA-512:	1F421D136897C10B2A075E44CFC8CB1D63999D2DD5112481C9A01B48E08080AABFE3039B64E275AC3BA622714B4E024B882D4FA490C45B4F3DA4470E7D9E2083
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........KB...B...B...K...h...K...V...K...6...ex..O...B...6...K...@...\...C...K...C...RichB...........................PE..L....z2^.........................0..0....@........@.................................C\....@.............................................................@...............................................H...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	355136
Entropy (8bit):	7.904711597341623
Encrypted:	false
SSDEEP:	6144:i7PWq6wnQldN3tPVyqBLnsLEeDjqdpPDDWw6D340FCZJ8K9hVWZKpBTSSH:MWT5ldN31VNBLs4eDoPD+oRZJ8g28r
MD5:	A84000A56149917A3C36A8B48F49773F
SHA1:	028930A5584F83FF6564902F1505CD6CE5D7D142
SHA-256:	BD4911699B7EF2F0EB87257C72D1753A3303EFDB22BD3AE43C7F6E3B76D1D599
SHA-512:	1CB8E9F340A13F7A92AA9AAA1F1302E4AFEC9D57F93462B80168E577E13E4FDA1AB39310B3860608E5B3AD15CE36576B4768A9DA1841F80025BF70174D45B544
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K\|............ew.....ea....(........o...ef.....eh.....Ov......u.....es....Rich...................PE..L...t.._.................P... ......`".......0....@..........................P......{?....@.................................8@.......0..8............^..@............................................$..H...........................................UPX0....................................UPX1.....P.......F..................@....rsrc.... ...0.......J..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Program Files (x86)\seetrol\client\Uninstall.cmd

Download File

Process:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	219
Entropy (8bit):	5.126807301587891
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3eANLDn8KCezocKqD:J0+oxBeRmR9etdzRxr3Oez1T
MD5:	C25DFA607FA3DE5A317F898036AA23E9
SHA1:	B621BAA8132CA05E38B17BB7B7A842AD4FD6F1C7
SHA-256:	AEA6BBB157C165C31C7B620843695629BD3AD8AA82FF280F8B0A9013B9AB0A5B
SHA-512:	83A43BA421C8EAE035BAC6A6FC052C4A295FA775C1682A72AC84E71D557B69F84186597F402E1CC5675F3C17F6BAFC8296FFA892A242C61C88E2D8B48D327D6E
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /update3/Uninstall.txt was not found on this server.</p>.</body></html>.

C:\Program Files (x86)\seetrol\client\dtph.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:oNUWJRO:oNNJ0
MD5:	7F9F52495CF3B77DA54B70352F097C44
SHA1:	EF3B162B11F3BCA3FF4160F69A6D7284F7362495
SHA-256:	4DC7DE18F6CF86A217F51D4BD8DD2138A74B9DF391C48F66F8EEE866800D9C20
SHA-512:	F2DD351D4D3B480C99F27A1231B1B3A169B679F5A8B11F813632CB199B8859B0DC6A892A0C704958A443B53ED971A5EFD59D8B4FD60316C94B72EB9C287A8E74
Malicious:	false
Preview:	C:\Users\user\Desktop

C:\Program Files (x86)\seetrol\client\mdph.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.893660689688185
Encrypted:	false
SSDEEP:	3:oNUcHIAlW:oNHHIAM
MD5:	134065D553F87E585464D529D3222D9F
SHA1:	339C829C34D09F8D1FE7438A618BB88BA3FBB015
SHA-256:	F25F422DA021D644392B6A279100DCCA84122590ED4427581C877859A60E6D07
SHA-512:	0D0732B7CB237F4E5C6873CC748C4DB71ECB04BAFF5147CE3DE7CDC2B1710C89493B8E5466F5651700767C796C1E20F0B3A023B22189E28CB2C1E027F98BF533
Malicious:	false
Preview:	C:\Users\user\Documents

C:\Program Files (x86)\seetrol\client\sas.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14648
Entropy (8bit):	6.345003870279541
Encrypted:	false
SSDEEP:	192:mGq/KLYix0kmAEE8O5cTbOVT66o+5W/9wWMQQKPnEtTIXXYxjaIhjTG9x6Im:NTYiWXAjHGOVZP5W/9wWlLz4Z/j+6d
MD5:	60C3820C4F56C77E3E8BECE9D7A51842
SHA1:	B1BDA7390CC5515718A23FB95DAB44E7436CF24C
SHA-256:	C2904B2822B3C1B003A72F84D42FFBFDEFD253F322C99B77CF8A950F37C716E6
SHA-512:	474DDFBD8524163396A9335B25ACB577CD12E87E9BDFA5ED7F4AA54A7D1CEA17D94D001772CB76376B4F921B96BF3341011E94ADE97ACA76BE942363ED92A6DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader44.36703.22938.13598.exe, Detection: malicious, Browse Filename: 3vS3F5eukR.exe, Detection: malicious, Browse Filename: 3vS3F5eukR.exe, Detection: malicious, Browse Filename: eWIIsxIoe5.exe, Detection: malicious, Browse Filename: eWIIsxIoe5.exe, Detection: malicious, Browse Filename: Agent_Install.exe, Detection: malicious, Browse Filename: Agent_Install.exe, Detection: malicious, Browse Filename: sEcCIwFKPc.exe, Detection: malicious, Browse Filename: sEcCIwFKPc.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...y..y..y..#.>.+y..y...y..#.8.-y..#.9.+y..#.(.%y..#.?.+y..#.:.+y..Rich*y..........................PE..L......J...........!.........................0...............................`.......7....@..........................$..B.... ..P....@..............."..8....P..D.......................................@.......X....................................text............................... ..`.data...`....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B...J(......J3......J@......JJ...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.RPCRT4.dll....................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\seetrol\client\sthooks.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72000
Entropy (8bit):	6.249125081684869
Encrypted:	false
SSDEEP:	768:vSrZ2WBOkMdK4JoYNi5Nd2B+8Y7phi+94gJjv1CdpWrtR/CeSKNh5BjJcORQQwwK:DiqrYlhidyQr0tVNhDRQ3WrX/Y
MD5:	4552DCA24D26DD640F131E68CE8BA37C
SHA1:	D5B80DC90511E8AA5A25F10EBF2893AE146D84E6
SHA-256:	18997169E6D07921BB724C9E6A5AB784BCCAB52F598C5CF0C166AA47DB0C1C5A
SHA-512:	C62A9203BC3EDD46BA95A19291446AF8DD8B436D7F152EA8B64FAA07D6E08FCD7C740D9FB4B949C2C49C3FB9F5C7197421EC3A6DD212DC7B12BB6DDF5F80202F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j^.....................................................................-..............Rich....................PE..L...#.._...........!.........d.......=.......................................`............@.........................p...`.......<....0..................@....@......P...............................x...@............................................text...%........................... ..`.rdata...4.......6..................@..@.data...............................@....shared...... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	40768
Entropy (8bit):	7.706402874822346
Encrypted:	false
SSDEEP:	768:eWZJpbi3QV5FqFyt6GE6XgdIYwkHo5/cuUkl5hqb+P4KnhiBPhX/D:HZvi3uWst64Xpt44hy+AKnQBPhX/D
MD5:	7E0CE08C88A72A427FAFD2ED2EC81732
SHA1:	C25E34B4286C86D07ABE7C199535EA0D001A1D08
SHA-256:	DAD41A49E11719C9CD1DC93C74DD881D223666A6C2D16044836E1E2C2C28E492
SHA-512:	CB74F6C3C6FF73D65479C74CB9CD8E95DBDC22F83AFC34D5D8F2642F24472AE75109BAB79EAA126EA2CEEB8A9A5D179D0DAC361E4D4D28B73E2DB10E89D39E76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.6D;.eD;.eD;.eMC.ef;.eMC?eT;.eMC)e4;.ec..eG;.ec..eK;.eD;.e.;.eMC eF;.eZi>eE;.eMC;eE;.eRichD;.e........................PE..L.../+.]............................p.............@.................................1.....@.................................8...........8...............@...............................................H...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\STClientChat.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	641856
Entropy (8bit):	7.9235995247217605
Encrypted:	false
SSDEEP:	12288:2EHbGzlWov167SMEURqpg2ShLILcDk101c+n0KNyI9XWd1O:37GIovMOxURqpg2SqwDZ/0Iz9Xa1O
MD5:	B73B47A1F3C3CFF2D23BF2ACB88C8E8B
SHA1:	E11DE756E0313D039B2961B54F41DC64A1D420CB
SHA-256:	B51AE253C7A37D4A6F4C820991D60FC6D903E201FD1BEEDF8C7D599D99538E60
SHA-512:	CA8433BECCC1520B2A59B697273A75DF7A0CA63830B7A9D002A6E86CBCE7D562A6DF2F0F083A5F611383914C40D91001ABF317F44E9533E900353CE96E9BFF11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................6...........x................................Rich...........................PE..L....0Z..................... ...@..`....P........@.......................... ......-.....@.............................................................@...............................................H.......................@...................UPX0.....@..............................UPX1.........P......................@....rsrc.... ..........................@..............................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\STUpdate.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	55616
Entropy (8bit):	7.754993903267388
Encrypted:	false
SSDEEP:	1536:L1qMWAugeDJd3k4gZqFQ6EbsP86o1T9CQxMKiVDMZF3xX/+:L1q933k4SThsPY1TlxMKiVDMZJxP+
MD5:	3A7FCD42779050C2FC8CDF860BEFAC3F
SHA1:	88A9AFC3A812540AA77AA697C3213847496E9F40
SHA-256:	D46CACC5B081FFCB42CC4F2816696D179A3F03FF89D7791F09EA04789A38D4A8
SHA-512:	3FBA1A929FF5B3BC8D3119925D713CCE985CE7456B1ACC0BAE971FE393893C1FF903C16D0CEB3AC4F1297F33A5FC51F738E0347EDE685F7379C3302E0669ED8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8(..\|Iz.\|Iz.\|Iz.....}Iz.u1..QIz.u1..hIz.u1...Iz.[...kIz.\|I{..Iz.u1..zIz.b...}Iz.u1..}Iz.Rich\|Iz.........PE..L...-..].............................h.......p....@..................................i....@..................................w.......p..................@...........................................\j..H...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	727360
Entropy (8bit):	7.922843421551964
Encrypted:	false
SSDEEP:	12288:8oGodNaQOlkhlyA++SIq3knBHU0sZe/AYiyjXE9Fow4tCQSZ8EGd39OqfpeHvxuW:nGovOChlyA+7kB00sZgAYiiX2L0EGdTA
MD5:	4ED27CD391E16B0E256C76AFC1F986C3
SHA1:	E0D705F87F5B5334A81D18126B18A9A39F8B6D5E
SHA-256:	2096A5E42C046C360C7CD646309A0E7DBBAAED00E84E242166108464B7B0CA22
SHA-512:	7E9208D6782FA8ED08C4B896F314A535A5E38D18C4B66A2813698007D0EFEEA8014EF4C0BF4C139457C826D05EAE4FD241C2DB419A761B709F4F118BF0F9D1B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3.h.`.h.`.h.`.']`.h.`.K.`.h.`...`.h.`...`.h.`...`.h.`.h.`.k.`..^`.h.`..H`zh.`.:O`.h.`..O`fh.`.:_`.h.`..Z`.h.`Rich.h.`................PE..L......_.....................@...@'.`!2..P'..02...@..........................p2.....8:........}.............................0^2......02.0...............@...................................................................\.#.@...................UPX0.....@'.............................UPX1.........P'.....................@....rsrc....@...02..4..................@......................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	47936
Entropy (8bit):	7.773937293943447
Encrypted:	false
SSDEEP:	768:Z3C+8XBSshN/DPBM0HJKYk2xol3GykKd+rnxhFUjRjIjBOe24aPIrIRPkvX/V:xL8XMsrTe0pZkQI+KdSLAjA24aPXPkvd
MD5:	3F366E339EFAE375EC4F74CA3735CD91
SHA1:	B9E19C1C8EC2FC7329B5DB148E7550E172810AD9
SHA-256:	C10728F8CE75BB510F207380C4E8ED2F0F3F54D83E70DEC018104914ACD29F4D
SHA-512:	1F421D136897C10B2A075E44CFC8CB1D63999D2DD5112481C9A01B48E08080AABFE3039B64E275AC3BA622714B4E024B882D4FA490C45B4F3DA4470E7D9E2083
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........KB...B...B...K...h...K...V...K...6...ex..O...B...6...K...@...\...C...K...C...RichB...........................PE..L....z2^.........................0..0....@........@.................................C\....@.............................................................@...............................................H...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	355136
Entropy (8bit):	7.904711597341623
Encrypted:	false
SSDEEP:	6144:i7PWq6wnQldN3tPVyqBLnsLEeDjqdpPDDWw6D340FCZJ8K9hVWZKpBTSSH:MWT5ldN31VNBLs4eDoPD+oRZJ8g28r
MD5:	A84000A56149917A3C36A8B48F49773F
SHA1:	028930A5584F83FF6564902F1505CD6CE5D7D142
SHA-256:	BD4911699B7EF2F0EB87257C72D1753A3303EFDB22BD3AE43C7F6E3B76D1D599
SHA-512:	1CB8E9F340A13F7A92AA9AAA1F1302E4AFEC9D57F93462B80168E577E13E4FDA1AB39310B3860608E5B3AD15CE36576B4768A9DA1841F80025BF70174D45B544
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K\|............ew.....ea....(........o...ef.....eh.....Ov......u.....es....Rich...................PE..L...t.._.................P... ......`".......0....@..........................P......{?....@.................................8@.......0..8............^..@............................................$..H...........................................UPX0....................................UPX1.....P.......F..................@....rsrc.... ...0.......J..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\IXP000.TMP\sas.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14648
Entropy (8bit):	6.345003870279541
Encrypted:	false
SSDEEP:	192:mGq/KLYix0kmAEE8O5cTbOVT66o+5W/9wWMQQKPnEtTIXXYxjaIhjTG9x6Im:NTYiWXAjHGOVZP5W/9wWlLz4Z/j+6d
MD5:	60C3820C4F56C77E3E8BECE9D7A51842
SHA1:	B1BDA7390CC5515718A23FB95DAB44E7436CF24C
SHA-256:	C2904B2822B3C1B003A72F84D42FFBFDEFD253F322C99B77CF8A950F37C716E6
SHA-512:	474DDFBD8524163396A9335B25ACB577CD12E87E9BDFA5ED7F4AA54A7D1CEA17D94D001772CB76376B4F921B96BF3341011E94ADE97ACA76BE942363ED92A6DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...y..y..y..#.>.+y..y...y..#.8.-y..#.9.+y..#.(.%y..#.?.+y..#.:.+y..Rich*y..........................PE..L......J...........!.........................0...............................`.......7....@..........................$..B.... ..P....@..............."..8....P..D.......................................@.......X....................................text............................... ..`.data...`....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B...J(......J3......J@......JJ...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.RPCRT4.dll....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\sthooks.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72000
Entropy (8bit):	6.249125081684869
Encrypted:	false
SSDEEP:	768:vSrZ2WBOkMdK4JoYNi5Nd2B+8Y7phi+94gJjv1CdpWrtR/CeSKNh5BjJcORQQwwK:DiqrYlhidyQr0tVNhDRQ3WrX/Y
MD5:	4552DCA24D26DD640F131E68CE8BA37C
SHA1:	D5B80DC90511E8AA5A25F10EBF2893AE146D84E6
SHA-256:	18997169E6D07921BB724C9E6A5AB784BCCAB52F598C5CF0C166AA47DB0C1C5A
SHA-512:	C62A9203BC3EDD46BA95A19291446AF8DD8B436D7F152EA8B64FAA07D6E08FCD7C740D9FB4B949C2C49C3FB9F5C7197421EC3A6DD212DC7B12BB6DDF5F80202F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j^.....................................................................-..............Rich....................PE..L...#.._...........!.........d.......=.......................................`............@.........................p...`.......<....0..................@....@......P...............................x...@............................................text...%........................... ..`.rdata...4.......6..................@..@.data...............................@....shared...... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.990164430629436
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'886'528 bytes
MD5:	126619fbbb061d7f4e5a595068249ce8
SHA1:	97bce4d9b978f39b2695b4e3cd24b027f10de317
SHA256:	f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198
SHA512:	9ed6c43a15c6fc2c601a9151f65847f1f661fb9a8fff75d2c5d50ffd5d5d65c24459a6ef23d62e1196b05dcfca5af8c9522b3cc2622d5149e1815f6c3ebcd514
SSDEEP:	49152:y9yOL+Wlja8TqIVtH44Z1pMeNyCsjQ26dtDEe+HE332Qb:ycQJG8TqIDbZLfECsURXDEeQE3mQb
TLSH:	4E95335341EAB537F4D4A37063C876231338F451877A278332C6A15A9E262C1BEB57AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...Cu..C...C...C0..Cu..C...Cu..C...Cu..C...CRich...C................PE..L....{.A............................\d.....

File Icon


Icon Hash:	878fd7f3b9353593

Static PE Info

General

Entrypoint:	0x100645c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x41107BC1 [Wed Aug 4 06:01:37 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0ebb3c09b06b1666d307952e824c8697

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	05/08/2018 20:00:00 04/09/2021 19:59:59
Subject Chain	CN=Knowhow Information & Communication Inc, O=Knowhow Information & Communication Inc, L=Yeongdeungpo-gu, S=Seoul, C=KR
Version:	3
Thumbprint MD5:	9B42F79D540927AD6A6BE17E2337F2A8
Thumbprint SHA-1:	140BC3AC52A07A0B00B1D8C35E455200B7DD342C
Thumbprint SHA-256:	0191D15FAD8491BC642BB9AA20EF755BFEFF1E10FDD77A13430A38D9965890F9
Serial:	635437A2450F7972F67E2E78776DB8A6

Entrypoint Preview

Instruction
call 00007F1568BB6B8Fh
jmp 00007F1568BB6AFFh
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0100B2D0h]
test eax, eax
je 00007F1568BB6B89h
cmp eax, 0000BB40h
jne 00007F1568BB6BCFh
push esi
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [01001170h]
mov esi, dword ptr [ebp-04h]
xor esi, dword ptr [ebp-08h]
call dword ptr [0100116Ch]
xor esi, eax
call dword ptr [01001168h]
xor esi, eax
call dword ptr [01001164h]
xor esi, eax
lea eax, dword ptr [ebp-10h]
push eax
call dword ptr [01001160h]
mov eax, dword ptr [ebp-0Ch]
xor eax, dword ptr [ebp-10h]
xor eax, esi
and eax, 0000FFFFh
pop esi
jne 00007F1568BB6B87h
mov eax, 0000BB40h
mov dword ptr [0100B2D0h], eax
not eax
mov dword ptr [0100B2CCh], eax
leave
ret
int3
int3
int3
int3
int3
cmp ecx, dword ptr [0100B2D0h]
jne 00007F1568BB6B8Bh
test ecx, FFFF0000h
jne 00007F1568BB6B83h
ret
jmp 00007F1568BB6B8Ah
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000330h
push edi
mov dword ptr [ebp-00000228h], eax
mov dword ptr [ebp-0000022Ch], ecx
mov dword ptr [ebp-00000230h], edx
mov dword ptr [ebp-00000234h], ebx
mov dword ptr [ebp-00000238h], esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9ce4	0x8c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x1c19fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1cbc00	0xd40	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1230	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x230	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x992c	0x9a00	7f626e5705c578b3593666e841e1d014	False	0.5787337662337663	data	6.565336591458147	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb000	0x1be4	0x400	99858e86526942a66950c7139f78a725	False	0.330078125	data	4.247999525438142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd000	0x1c19fc	0x1c1a00	3859197b6655bd6fb4b250b6fce89d47	False	0.9926522970530998	data	7.995451799089223	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xd7e8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	Korean	North Korea	0.2713099474665311
AVI	0xd7e8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	Korean	South Korea	0.2713099474665311
RT_ICON	0x10604	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Korean	North Korea	0.3709677419354839
RT_ICON	0x10604	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Korean	South Korea	0.3709677419354839
RT_ICON	0x108ec	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Korean	North Korea	0.6081081081081081
RT_ICON	0x108ec	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Korean	South Korea	0.6081081081081081
RT_DIALOG	0x10a14	0x1d0	data	Korean	North Korea	0.6637931034482759
RT_DIALOG	0x10a14	0x1d0	data	Korean	South Korea	0.6637931034482759
RT_DIALOG	0x10be4	0x12c	data	Korean	North Korea	0.68
RT_DIALOG	0x10be4	0x12c	data	Korean	South Korea	0.68
RT_DIALOG	0x10d10	0x12c	data	Korean	North Korea	0.5933333333333334
RT_DIALOG	0x10d10	0x12c	data	Korean	South Korea	0.5933333333333334
RT_DIALOG	0x10e3c	0x190	data	Korean	North Korea	0.6825
RT_DIALOG	0x10e3c	0x190	data	Korean	South Korea	0.6825
RT_DIALOG	0x10fcc	0x100	data	Korean	North Korea	0.65625
RT_DIALOG	0x10fcc	0x100	data	Korean	South Korea	0.65625
RT_DIALOG	0x110cc	0xe0	data	Korean	North Korea	0.625
RT_DIALOG	0x110cc	0xe0	data	Korean	South Korea	0.625
RT_STRING	0x111ac	0x58	Matlab v4 mat-file (little endian) \225\315t\307 , numeric, rows 0, columns 0	Korean	North Korea	0.8295454545454546
RT_STRING	0x111ac	0x58	Matlab v4 mat-file (little endian) \225\315t\307 , numeric, rows 0, columns 0	Korean	South Korea	0.8295454545454546
RT_STRING	0x11204	0x2d4	data	Korean	North Korea	0.649171270718232
RT_STRING	0x11204	0x2d4	data	Korean	South Korea	0.649171270718232
RT_STRING	0x114d8	0x3c4	data	Korean	North Korea	0.5643153526970954
RT_STRING	0x114d8	0x3c4	data	Korean	South Korea	0.5643153526970954
RT_STRING	0x1189c	0x2a8	data	Korean	North Korea	0.6338235294117647
RT_STRING	0x1189c	0x2a8	data	Korean	South Korea	0.6338235294117647
RT_STRING	0x11b44	0x234	data	Korean	North Korea	0.6861702127659575
RT_STRING	0x11b44	0x234	data	Korean	South Korea	0.6861702127659575
RT_STRING	0x11d78	0x1d8	data	Korean	North Korea	0.614406779661017
RT_STRING	0x11d78	0x1d8	data	Korean	South Korea	0.614406779661017
RT_RCDATA	0x11f50	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x11f58	0x1bc3a1	Microsoft Cabinet archive data, many, 1819553 bytes, 8 files, at 0x2c +A "ClientRun.exe" +A "Seetrol_Clt.exe", ID 11004, number 1, 60 datablocks, 0x1503 compression	English	United States	1.0002660751342773
RT_RCDATA	0x1ce2fc	0x4	data	English	United States	3.0
RT_RCDATA	0x1ce300	0x24	data	English	United States	0.8611111111111112
RT_RCDATA	0x1ce324	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x1ce32c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x1ce334	0x4	data	English	United States	3.0
RT_RCDATA	0x1ce338	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x1ce340	0x4	data	English	United States	3.0
RT_RCDATA	0x1ce344	0x10	data	English	United States	1.5
RT_RCDATA	0x1ce354	0x4	data	English	United States	3.0
RT_RCDATA	0x1ce358	0xe	data	English	United States	1.5714285714285714
RT_RCDATA	0x1ce368	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x1ce370	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x1ce378	0x22	data	Korean	North Korea	1.0
RT_GROUP_ICON	0x1ce378	0x22	data	Korean	South Korea	1.0
RT_VERSION	0x1ce39c	0x440	data	Korean	North Korea	0.42830882352941174
RT_VERSION	0x1ce39c	0x440	data	Korean	South Korea	0.42830882352941174
RT_MANIFEST	0x1ce7dc	0x21d	ASCII text, with CRLF line terminators	English	United States	0.5231053604436229

Imports

DLL	Import
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, RegCloseKey, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegQueryInfoKeyA
KERNEL32.dll	LocalFree, LocalAlloc, GetLastError, GetCurrentProcess, lstrlenA, GetModuleFileNameA, GetSystemDirectoryA, _lclose, _llseek, _lopen, WritePrivateProfileStringA, GetWindowsDirectoryA, CreateDirectoryA, GetFileAttributesA, ExpandEnvironmentStringsA, lstrcpyA, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, IsDBCSLeadByte, GetShortPathNameA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcmpiA, RemoveDirectoryA, FindClose, FindNextFileA, DeleteFileA, SetFileAttributesA, lstrcmpA, FindFirstFileA, FreeResource, GetProcAddress, LoadResource, SizeofResource, FindResourceA, lstrcatA, CloseHandle, WriteFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, SetCurrentDirectoryA, GetTempFileNameA, ExitProcess, CreateFileA, LoadLibraryExA, lstrcpynA, GetVolumeInformationA, FormatMessageA, GetCurrentDirectoryA, GetVersionExA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetTempPathA, GetSystemInfo, CreateMutexA, SetEvent, CreateEventA, CreateThread, ResetEvent, TerminateThread, GetDriveTypeA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, ReadFile, LoadLibraryA, GetDiskFreeSpaceA, MulDiv, EnumResourceLanguagesA, FreeLibrary, LockResource
GDI32.dll	GetDeviceCaps
USER32.dll	ExitWindowsEx, wsprintfA, CharNextA, CharUpperA, CharPrevA, SetWindowLongA, GetWindowLongA, CallWindowProcA, DispatchMessageA, MsgWaitForMultipleObjects, PeekMessageA, SendMessageA, SetWindowPos, ReleaseDC, GetDC, GetWindowRect, SendDlgItemMessageA, GetDlgItem, SetForegroundWindow, SetWindowTextA, MessageBoxA, DialogBoxIndirectParamA, ShowWindow, EnableWindow, GetDlgItemTextA, EndDialog, GetDesktopWindow, MessageBeep, SetDlgItemTextA, LoadStringA, GetSystemMetrics
COMCTL32.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-23T15:33:05.926446+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:05.926446+0200	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	1	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.291650+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.291650+0200	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	1	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.599647+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:06.903650+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.208682+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.566755+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:07.878257+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.185434+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.491280+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:08.861115+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.198151+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.508979+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:09.857839+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP
2024-10-23T15:33:10.171532+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	139.150.75.206	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:33:04.303970098 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:04.309473991 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:04.309566975 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:04.309801102 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:04.315671921 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.249222040 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.249520063 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.283374071 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.289689064 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.581572056 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.581651926 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.587892056 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.594265938 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.924096107 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:05.926445961 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.990556955 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:05.996598959 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.291363955 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.291650057 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.301829100 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.307223082 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.599580050 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.599647045 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.604732037 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.610207081 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.903578997 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:06.903650045 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.908451080 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:06.914360046 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.208611965 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.208682060 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.214068890 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.220006943 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.566665888 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.566755056 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.572828054 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.578432083 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.878148079 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:07.878257036 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.883856058 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:07.889960051 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.182529926 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.185434103 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.190805912 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.196209908 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.490125895 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.491280079 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.539071083 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.544774055 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.857742071 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:08.861114979 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.894814014 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:08.900749922 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.194173098 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.198151112 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.207321882 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.213032961 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.506009102 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.508979082 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.555376053 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.561062098 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.857671976 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:09.857839108 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.863646030 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:09.869091988 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:10.165200949 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:10.171531916 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:33:15.346230030 CEST	80	49710	139.150.75.206	192.168.2.5
Oct 23, 2024 15:33:15.351888895 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:34:53.639132977 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:34:53.956892014 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:34:54.562031031 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:34:55.782007933 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:34:58.196881056 CEST	49710	80	192.168.2.5	139.150.75.206
Oct 23, 2024 15:35:03.001913071 CEST	49710	80	192.168.2.5	139.150.75.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:33:03.746284008 CEST	54759	53	192.168.2.5	1.1.1.1
Oct 23, 2024 15:33:04.291785002 CEST	53	54759	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 15:33:03.746284008 CEST	192.168.2.5	1.1.1.1	0xabb0	Standard query (0)	www.seetrol.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 15:33:04.291785002 CEST	1.1.1.1	192.168.2.5	0xabb0	No error (0)	www.seetrol.com		139.150.75.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.seetrol.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	139.150.75.206	80	5776	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 15:33:04.309801102 CEST	299	OUT	GET /update4/SeetrolCenter.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.seetrol.com Connection: Keep-Alive
Oct 23, 2024 15:33:05.249222040 CEST	470	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:05 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 34 2f 53 65 65 74 72 6f 6c 43 65 6e 74 65 72 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update4/SeetrolCenter.exe was not found on this server.</p></body></html>
Oct 23, 2024 15:33:05.283374071 CEST	293	OUT	GET /update3/NetScan.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.seetrol.com Connection: Keep-Alive
Oct 23, 2024 15:33:05.581572056 CEST	463	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:05 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 217 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4e 65 74 53 63 61 6e 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/NetScan.exe was not found on this server.</p></body></html>
Oct 23, 2024 15:33:05.587892056 CEST	90	OUT	GET /update3/MirrInst32.exe HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:05.924096107 CEST	411	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:05 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 220 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 33 32 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst32.exe was not found on this server.</p></body></html>
Oct 23, 2024 15:33:05.990556955 CEST	90	OUT	GET /update3/MirrInst64.exe HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:06.291363955 CEST	411	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:06 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 220 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 4d 69 72 72 49 6e 73 74 36 34 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/MirrInst64.exe was not found on this server.</p></body></html>
Oct 23, 2024 15:33:06.301829100 CEST	87	OUT	GET /update3/Install.txt HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:06.599580050 CEST	408	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:06 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 217 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 49 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Install.txt was not found on this server.</p></body></html>
Oct 23, 2024 15:33:06.604732037 CEST	89	OUT	GET /update3/Uninstall.txt HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:06.903578997 CEST	410	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:06 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 219 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 55 6e 69 6e 73 74 61 6c 6c 2e 74 78 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/Uninstall.txt was not found on this server.</p></body></html>
Oct 23, 2024 15:33:06.908451080 CEST	92	OUT	GET /update3/068/dfmirage.cat HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:07.208611965 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.cat was not found on this server.</p></body></html>
Oct 23, 2024 15:33:07.214068890 CEST	92	OUT	GET /update3/068/dfmirage.dll HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:07.566665888 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.dll was not found on this server.</p></body></html>
Oct 23, 2024 15:33:07.572828054 CEST	92	OUT	GET /update3/068/dfmirage.inf HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:07.878148079 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.inf was not found on this server.</p></body></html>
Oct 23, 2024 15:33:07.883856058 CEST	92	OUT	GET /update3/068/dfmirage.sys HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:08.182529926 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:08 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 30 36 38 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/068/dfmirage.sys was not found on this server.</p></body></html>
Oct 23, 2024 15:33:08.190805912 CEST	92	OUT	GET /update3/105/dfmirage.cat HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:08.490125895 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:08 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 63 61 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.cat was not found on this server.</p></body></html>
Oct 23, 2024 15:33:08.539071083 CEST	92	OUT	GET /update3/105/dfmirage.inf HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:08.857742071 CEST	413	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:08 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 222 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 64 66 6d 69 72 61 67 65 2e 69 6e 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/dfmirage.inf was not found on this server.</p></body></html>
Oct 23, 2024 15:33:08.894814014 CEST	96	OUT	GET /update3/105/x64/dfmirage.dll HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:09.194173098 CEST	417	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:09 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 226 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.dll was not found on this server.</p></body></html>
Oct 23, 2024 15:33:09.207321882 CEST	96	OUT	GET /update3/105/x64/dfmirage.sys HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:09.506009102 CEST	417	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:09 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 226 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 36 34 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x64/dfmirage.sys was not found on this server.</p></body></html>
Oct 23, 2024 15:33:09.555376053 CEST	96	OUT	GET /update3/105/x86/dfmirage.dll HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:09.857671976 CEST	417	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:09 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 226 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 64 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.dll was not found on this server.</p></body></html>
Oct 23, 2024 15:33:09.863646030 CEST	96	OUT	GET /update3/105/x86/dfmirage.sys HTTP/1.1 User-Agent: SeetrolClient Host: www.seetrol.com
Oct 23, 2024 15:33:10.165200949 CEST	417	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Oct 2024 13:33:10 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 Content-Length: 226 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 33 2f 31 30 35 2f 78 38 36 2f 64 66 6d 69 72 61 67 65 2e 73 79 73 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /update3/105/x86/dfmirage.sys was not found on this server.</p></body></html>

Target ID:	0
Start time:	09:33:00
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1000000
File size:	1'886'528 bytes
MD5 hash:	126619FBBB061D7F4E5A595068249CE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:33:00
Start date:	23/10/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
Imagebase:	0x400000
File size:	40'768 bytes
MD5 hash:	7E0CE08C88A72A427FAFD2ED2EC81732
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:33:01
Start date:	23/10/2024
Path:	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
Imagebase:	0x400000
File size:	727'360 bytes
MD5 hash:	4ED27CD391E16B0E256C76AFC1F986C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:33:03
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\ipconfig.exe" /flushdns
Imagebase:	0x4b0000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:33:03
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.5%
Dynamic/Decrypted Code Coverage:	62.6%
Signature Coverage:	21.4%
Total number of Nodes:	1021
Total number of Limit Nodes:	42

Executed Functions

Function 010026E2 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 268
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,0100133C,?,00000104,?,00000001,7591F530,00000000), ref: 0100277B
lstrcpyA.KERNEL32(?,?,?,?,0100133C,?,00000104,?,00000001,7591F530,00000000), ref: 01002793
lstrcmpiA.KERNEL32(00000000,.INF), ref: 010027B7
lstrlenA.KERNEL32(DefaultInstall,?,01001330,?), ref: 01002810
lstrlenA.KERNEL32(?,?,0100132C), ref: 0100283C
LocalAlloc.KERNEL32(00000040,00000200), ref: 0100284D
GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 0100287C
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01001271,?,00000008,?), ref: 010028B1
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0100291A
wsprintfA.USER32 ref: 0100294B
lstrcmpiA.KERNEL32(00000000,.BAT), ref: 0100296B
lstrlenA.KERNEL32(Command.com /c %s), ref: 0100297D
lstrlenA.KERNEL32(?), ref: 0100298C
LocalAlloc.KERNEL32(00000040,?), ref: 0100299B
wsprintfA.USER32 ref: 010029B4
LocalAlloc.KERNEL32(00000040,00000400,?,0000002E,?,0000002E), ref: 010029CA
GetFileAttributesA.KERNELBASE(?), ref: 010029F8

Strings

AdvancedINF, xrefs: 010028A7
.INF, xrefs: 010027B1
.BAT, xrefs: 01002965
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01002775
DefaultInstall, xrefs: 01002809, 01002863, 0100287B, 010028C8, 01002939
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 01002940
setupapi.dll, xrefs: 01002922
Reboot, xrefs: 01002876
Command.com /c %s, xrefs: 01002977, 0100297C, 010029B2
setupx.dll, xrefs: 01002910
", xrefs: 01002726
Version, xrefs: 010028AC

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrlen$AllocLocal$PrivateProfilelstrcmpilstrcpywsprintf$AttributesFileNamePathShortString
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 1934397216-472070384
Opcode ID: 6c011d49d29e131f740ed8dabe1c808832c5922d73e00483e9065f74cfc82ed7
Instruction ID: a376eb2aa62e0528c46e6ae682dde744fbc8027db4852c82fdc9f52ca6896b49
Opcode Fuzzy Hash: 6c011d49d29e131f740ed8dabe1c808832c5922d73e00483e9065f74cfc82ed7
Instruction Fuzzy Hash: BCA191B5900259ABFF32DB648C48EDA7BBDAB94300F0404D5F6C9A7180DBB19AD48F64

Function 0100456A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,759183C0,00000000), ref: 010045AA
SetCurrentDirectoryA.KERNELBASE(00000000), ref: 010045B7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0100459D

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1611563598-1193786559
Opcode ID: 6a901a27d976f6ecd6b1b3fb4ef83800b97c89f981ca28cfd4edf11155ac7cbc
Instruction ID: 32a5e2e07f0e045be28bc8ef6b6c2a76a4ecc1151fd6d71cf5cc981d67540b80
Opcode Fuzzy Hash: 6a901a27d976f6ecd6b1b3fb4ef83800b97c89f981ca28cfd4edf11155ac7cbc
Instruction Fuzzy Hash: 48519EB2900258AFFB23DB64DC85FFA77ACEB09300F0044A5B799D61C5D6759E808F65

Function 010052D4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 96
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,?,00000104,759183C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01005320
GetSystemInfo.KERNEL32(?), ref: 01005336
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,759183C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01005386
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100539B

Part of subcall function 0100342E: wsprintfA.USER32 ref: 01003465
Part of subcall function 0100342E: lstrcpyA.KERNEL32(759183C0,?), ref: 01003476
Part of subcall function 0100342E: RemoveDirectoryA.KERNELBASE(759183C0,759183C0,00000104,?), ref: 0100348D
Part of subcall function 0100342E: GetFileAttributesA.KERNELBASE(759183C0), ref: 01003494
Part of subcall function 0100342E: GetTempFileNameA.KERNEL32(?,IXP,00000000,759183C0), ref: 010034DD
Part of subcall function 0100342E: DeleteFileA.KERNEL32(759183C0), ref: 010034F2
Part of subcall function 0100342E: CreateDirectoryA.KERNEL32(759183C0,00000000), ref: 010034FB

RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010053DE

Strings

alpha, xrefs: 01005357
ppc, xrefs: 01005350
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 010052EA, 0100531A, 0100531F, 0100536B, 01005377, 01005380, 01005385, 0100538C, 0100539A, 010053AF, 010053D7
i386, xrefs: 01005365
mips, xrefs: 0100535E

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Directory$Filelstrcpy$CreateRemove$AttributesDeleteInfoNameSystemTempwsprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 2618030033-3703068183
Opcode ID: ccfa81f9c34a22009be520cd33d5ea646d99b29c1b65c734a564f30d8b4669eb
Instruction ID: bbe6c97369ec8f106fead77e6623ce3be693c8dab588adb95fac2358924cc935
Opcode Fuzzy Hash: ccfa81f9c34a22009be520cd33d5ea646d99b29c1b65c734a564f30d8b4669eb
Instruction Fuzzy Hash: 7E31C571904615AAF7239F299C44DEE3BE8BB45355F048069B6C5D60C4DFB9C944CF60

Function 01006205 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 0100626F
LoadLibraryA.KERNEL32(?,?,00000105,advapi32.dll), ref: 0100628E
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 010062A5
DecryptFileA.ADVAPI32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 010062B1
FreeLibrary.KERNEL32(00000000), ref: 010062B4

Part of subcall function 010043EC: LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,00000000,00000000,?,?,?,01006231), ref: 0100440B

SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010062DB

Strings

DecryptFileA, xrefs: 0100629F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01006298, 010062B0, 010062DA
advapi32.dll, xrefs: 01006275

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3123416969
Opcode ID: 799601459926c632d555a8d86d08fbf0d875e0935837b017e982ad4550c23b2f
Instruction ID: 9140d9ddfa85fbf1d4f936cfa7ace5a96bcd53ce79dc58d3eacbe78f2b8b6b31
Opcode Fuzzy Hash: 799601459926c632d555a8d86d08fbf0d875e0935837b017e982ad4550c23b2f
Instruction Fuzzy Hash: FB310831900A12AAFB73A775DE409BB37EEEB96351F0441A9E9C1C10C4EF7B8590CB61

Function 01002A96 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,00000104,0100134C,?,00000104,00000000,SeetrolClient,00000001), ref: 01002AF2
lstrcmpA.KERNEL32(?,01001348,?,00000104,00000000,00000000), ref: 01002B31
lstrcmpA.KERNEL32(?,01001344), ref: 01002B43

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

SetFileAttributesA.KERNEL32(?,00000080,?,00000104,?,?,00000104,00000000,00000000), ref: 01002B97
DeleteFileA.KERNEL32(?), ref: 01002BA4
FindNextFileA.KERNELBASE(?,00000010), ref: 01002BB7
FindClose.KERNELBASE(?), ref: 01002BCB
RemoveDirectoryA.KERNELBASE(00000000), ref: 01002BD2

Strings

SeetrolClient, xrefs: 01002ABE

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
String ID: SeetrolClient
API String ID: 1122447120-1061602984
Opcode ID: a81c931836a2097e773c8ba7cb58b60a1f9ea69d54bc65de08cbb15ef119736b
Instruction ID: 3621ff63f4683dfc0afae3feec3247e592be42cb1084b4f5304d675301ecb420
Opcode Fuzzy Hash: a81c931836a2097e773c8ba7cb58b60a1f9ea69d54bc65de08cbb15ef119736b
Instruction Fuzzy Hash: 80310D76905159ABEB62DBA4DC88EDE77BDAF64300F1041D1B6C9E2084DBB4DAC4CF60

Function 01005190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010032FF: FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 0100331B
Part of subcall function 010032FF: LoadResource.KERNEL32(00000000,00000000), ref: 01003324
Part of subcall function 010032FF: LockResource.KERNEL32(00000000), ref: 0100332B

GetDlgItem.USER32(00000000,00000842), ref: 010051B5
ShowWindow.USER32(00000000), ref: 010051BE
GetDlgItem.USER32(00000841,00000005), ref: 010051CD
ShowWindow.USER32(00000000), ref: 010051D0
FreeResource.KERNEL32(00000000,-00000514,00000000,00000000,00000010,00000000,?,00000000,00000000,00000001,01005A8A,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,0100630E), ref: 0100527C
SendMessageA.USER32(00000FA1,00000000,00000000,-00000514), ref: 010052C3

Strings

*MEMCAB, xrefs: 01005236

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$ItemShowWindow$FindFreeLoadLockMessageSend
String ID: *MEMCAB
API String ID: 3694369891-3211172518
Opcode ID: 0fad6b1f36d8706e582d9ea836248cbf3b7461d3a55a163e58501e177ea86f4c
Instruction ID: 5229d03a171856da93f12892545d0c10a51e3ee78aaa137c78116f6f246e4984
Opcode Fuzzy Hash: 0fad6b1f36d8706e582d9ea836248cbf3b7461d3a55a163e58501e177ea86f4c
Instruction Fuzzy Hash: D931C5347822157AFA33636A9C4AFDB7E9CEF46B61F400014F5C4A90C5D6FA84808BA1

Function 01006A45 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 01006A70
MulDiv.KERNEL32(00000000,00000000,00000400), ref: 01006A8B

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 825da8cf926745c3866bbeb836e8d81481314d09f4b5b7f7c70813e4e2df1b9f
Instruction ID: b1f9c66608a2b67e4be2bbf4eebceb79f2602f57f0fa110e7db973902b5e4614
Opcode Fuzzy Hash: 825da8cf926745c3866bbeb836e8d81481314d09f4b5b7f7c70813e4e2df1b9f
Instruction Fuzzy Hash: E0F0E776D00118BFEF05DF95C844BEEBBBCEF15326F118496AA11A6080DB75A749CFA0

Function 01001AA7 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 178
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,00000001), ref: 01001B12
wsprintfA.USER32 ref: 01001B3E
RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?), ref: 01001B58
RegCloseKey.ADVAPI32(?), ref: 01001B7E
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001BA3
LoadLibraryA.KERNELBASE(00000000,00000000,00000104,advpack.dll), ref: 01001BBE
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01001BD4
FreeLibrary.KERNELBASE(?), ref: 01001BEE
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001C00
GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001C28
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01001C3E
lstrlenA.KERNEL32(00000000), ref: 01001C49
LocalAlloc.KERNEL32(00000040,00000050), ref: 01001C52
RegCloseKey.ADVAPI32(?), ref: 01001C76
wsprintfA.USER32 ref: 01001CAB
lstrlenA.KERNEL32(00000000), ref: 01001CB5
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000001), ref: 01001CC9
RegCloseKey.KERNELBASE(?), ref: 01001CD5
LocalFree.KERNEL32(00000000), ref: 01001CDC

Strings

%s /D:%s, xrefs: 01001C9C, 01001CA9
wextract_cleanup%d, xrefs: 01001B38
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01001C38, 01001C3D, 01001CA1
DelNodeRunDLL32, xrefs: 01001BCE
advpack.dll, xrefs: 01001BA5
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 01001C8F
wextract_cleanup0, xrefs: 01001B28, 01001B3D, 01001B51, 01001B84, 01001CBE
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01001B02

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Closelstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AddressAllocCreateFileLoadModuleNameProcQuery
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 3084642846-1709460465
Opcode ID: e8e5f3b3c36c9a9120034c916e34edcf0355e3275c331066bd0ee2a15f0c6816
Instruction ID: cb456183738a0c10edcd6481a0703a1d73204317f046f42922711a87de10383b
Opcode Fuzzy Hash: e8e5f3b3c36c9a9120034c916e34edcf0355e3275c331066bd0ee2a15f0c6816
Instruction Fuzzy Hash: 3351737594021CABEB329B65DD88FEA7BBDEB54700F0000D5F689E6185DBB5CA80CF61

Function 01005ABC Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 274
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,0100CAA2,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01005C87
lstrcmpiA.KERNEL32(?,<None>), ref: 01005C24

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

lstrcmpiA.KERNEL32(?,<None>), ref: 01005CCA
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 01005D76
FreeLibrary.KERNEL32(00000000), ref: 01005E3E
LocalFree.KERNEL32(?,?,00000044,?,00000104,?,?), ref: 01005E66
LocalFree.KERNEL32(?,00000000,000004C7,00000000,00000000,00000010,00000000,?,00000104,?,?), ref: 01005EB0
FreeLibrary.KERNEL32(00000000,00000000,000004C9,DoInfInstall,00000000,00000010,00000000), ref: 01005EEC
LocalFree.KERNEL32(?,00000000,000004C8,advpack.dll,00000000,00000010,00000000,advpack.dll,?,00000104,?,?), ref: 01005EF8
FreeLibrary.KERNEL32(00000000), ref: 01005F09
LocalFree.KERNEL32(?,?,00000044,?,00000104,?,?), ref: 01005F15

Strings

POSTRUNPROGRAM, xrefs: 01005CA4
ADMQCMD, xrefs: 01005BE3
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01005ACC, 01005DC7
D, xrefs: 01005B54
SHOWWINDOW, xrefs: 01005B6D
REBOOT, xrefs: 01005AF9
DoInfInstall, xrefs: 01005D70, 01005EDB
<None>, xrefs: 01005C18, 01005CBE
advpack.dll, xrefs: 01005D5C, 01005EC5
SeetrolClient, xrefs: 01005DBD
RUNPROGRAM, xrefs: 01005C4C
USRQCMD, xrefs: 01005BF3

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Free$Resource$Local$Library$Findlstrcmpi$AddressLoadLockProcSizeoflstrcpy
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$SeetrolClient$USRQCMD$advpack.dll
API String ID: 770626793-1550765852
Opcode ID: cc61a717c1ac84a9bdfc436f46c8520804baf07a4835fa07c55533f653c16650
Instruction ID: c2c6c5684892b5d7fa573e4d2de66b3b8837dd926b255ab3696fc0a2f468da05
Opcode Fuzzy Hash: cc61a717c1ac84a9bdfc436f46c8520804baf07a4835fa07c55533f653c16650
Instruction Fuzzy Hash: 30B1BF7090025C9EFF779B258D85BEA7BB8AB09304F0041EAE6C9A61C0DBB54EC5CF55

Function 01005F21 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 239
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

LocalAlloc.KERNEL32(00000040,00000001,RUNPROGRAM,00000000,00000000,00000000,00000000), ref: 01005F4E
lstrcmpA.KERNEL32(00000000,<None>,RUNPROGRAM,00000000,00000000), ref: 01005FB2
LocalFree.KERNEL32(00000000), ref: 01005FC6
LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,RUNPROGRAM,00000000,00000000), ref: 01005F9A

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Part of subcall function 01003AA1: GetLastError.KERNEL32(75934B00,01004684), ref: 01003AAA
Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01006035
lstrcpyA.KERNEL32(?,A:\), ref: 0100607B
GetDriveTypeA.KERNEL32(0000005A), ref: 01006083
GetFileAttributesA.KERNEL32(0000005A), ref: 0100609C
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,00000000), ref: 010061AD

Strings

Z, xrefs: 01006194
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0100602A, 0100602F, 01006042, 0100604C, 01006058, 01006184, 0100618A
A:\, xrefs: 0100606F
msdownld.tmp, xrefs: 0100613A
<None>, xrefs: 01005FAC
RUNPROGRAM, xrefs: 01005F38, 01005F3D, 01005F7F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$Local$ErrorFindFreeLast$AllocAttributesDirectoryDriveFileLoadLockMessagePathSizeofTempTypeWindowslstrcmplstrcpy
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 535033332-559629209
Opcode ID: e127262e2f1bcea2a5ebb68c1b356512669fdce6c4c8278c0b5bacbb59f5392c
Instruction ID: 567b5bc756c7a10916d387d21bd88499efbec6f747d449020ba67bed0e17c02a
Opcode Fuzzy Hash: e127262e2f1bcea2a5ebb68c1b356512669fdce6c4c8278c0b5bacbb59f5392c
Instruction Fuzzy Hash: 2D71E87064431979FB73E7758C48FEB36AE9F15354F000495FAC5D60C2EABAC9908B60

Function 010053FA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 180
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01005485
SetEvent.KERNEL32(00000000,?,00000000), ref: 01005491

Part of subcall function 01002E55: FreeResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002EBA

CreateMutexA.KERNEL32(00000000,00000001,?,INSTANCECHECK,?,00000104,EXTRACTOPT,0100C494,00000004,?,00000000), ref: 010054FB
GetLastError.KERNEL32(?,00000000), ref: 0100550A
FindResourceA.KERNEL32(?,VERCHECK,0000000A), ref: 010055AB
LoadResource.KERNEL32(?,00000000,?,00000000), ref: 010055BC
#17.COMCTL32(?,00000000), ref: 010055D0
CloseHandle.KERNEL32(00000000,00000524,SeetrolClient,00000000,00000020,00000004,?,00000000), ref: 0100554E

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Strings

TITLE, xrefs: 01005458
EXTRACTOPT, xrefs: 0100549E
VERCHECK, xrefs: 010055A0
INSTANCECHECK, xrefs: 010054C5
SeetrolClient, xrefs: 0100544D, 01005454, 01005524, 01005537

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMessageMutexSizeof
String ID: EXTRACTOPT$INSTANCECHECK$SeetrolClient$TITLE$VERCHECK
API String ID: 612345255-3810635328
Opcode ID: f6c6b2c12ee9163bd3a0c4e8a15c053b9e47d95bb065bedeb49e3ab265022f0e
Instruction ID: cbd0a4ee99872fe0b9b450feb2e661f6d2b71e757350258eec7348613e7537f9
Opcode Fuzzy Hash: f6c6b2c12ee9163bd3a0c4e8a15c053b9e47d95bb065bedeb49e3ab265022f0e
Instruction Fuzzy Hash: A05128706403496AF7339B28ED85FEA3A9DEB19745F440195F6C5D61C5CBBA8E80CF20

Function 0100342E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 01003465
lstrcpyA.KERNEL32(759183C0,?), ref: 01003476

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

RemoveDirectoryA.KERNELBASE(759183C0,759183C0,00000104,?), ref: 0100348D
GetFileAttributesA.KERNELBASE(759183C0), ref: 01003494
CreateDirectoryA.KERNELBASE(759183C0,00000000), ref: 010034B2
GetTempFileNameA.KERNEL32(?,IXP,00000000,759183C0), ref: 010034DD
DeleteFileA.KERNEL32(759183C0), ref: 010034F2
CreateDirectoryA.KERNEL32(759183C0,00000000), ref: 010034FB

Strings

IXP%03d.TMP, xrefs: 0100345F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003445
IXP, xrefs: 010034D2

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemplstrcpylstrlenwsprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 2425626272-2659685179
Opcode ID: 909a37eeb0d10a258c43e028ade7052fe929c50dff5c231103c15f598a75b725
Instruction ID: 79b835e8247eab284df87d354388e64f77954c4bc5d13dbb6f938c802c931663
Opcode Fuzzy Hash: 909a37eeb0d10a258c43e028ade7052fe929c50dff5c231103c15f598a75b725
Instruction Fuzzy Hash: 22218035A00218AFE7239F649C45FDE7BB8FF19350F008195F6C5E6184CBB99A848FA1

Function 010044BD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(01005392,759183C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010044C8
LocalAlloc.KERNEL32(00000040,-00000014,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010044D6
lstrcpyA.KERNEL32(00000000,01005392,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100450B
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,00000000,-00000014,TMP4351$.TMP,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100452D
LocalFree.KERNEL32(00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004536
CloseHandle.KERNEL32(00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004542
GetFileAttributesA.KERNELBASE(01005392,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100454B

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Part of subcall function 01003AA1: GetLastError.KERNEL32(75934B00,01004684), ref: 01003AAA
Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 010044C3
TMP4351$.TMP, xrefs: 01004511

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorFileLastLocal$AllocAttributesCloseCreateFreeHandleMessagelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 3688570051-3104274291
Opcode ID: 57520002fee6ae4235c75deb696dfb0f82a0d2a6da16ad456c8abe4454f22560
Instruction ID: d346d4950023621807eef61a061fb4322b337a095deacce8b095f1f8bab94072
Opcode Fuzzy Hash: 57520002fee6ae4235c75deb696dfb0f82a0d2a6da16ad456c8abe4454f22560
Instruction Fuzzy Hash: 4611CE722002047FF3235B69AC88EAB3E5DEB857A9F014120FBC5E10C5DBBA8C458B64

Function 01003346 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(005E5CB8,00000080,?,00000000), ref: 01003387
DeleteFileA.KERNELBASE(005E5CB8,?,00000000), ref: 0100338F
LocalFree.KERNEL32(005E5CB8,?,00000000), ref: 0100339A
LocalFree.KERNEL32(005E5CB8,?,00000000), ref: 0100339D
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010033CE
SetCurrentDirectoryA.KERNELBASE(01001344), ref: 010033EE

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 010033C2

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectorylstrcpy
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2574644873-1193786559
Opcode ID: 72403c605729b33f41dc903b8094f89f79e814846cd34f283f5d5de5f6c18948
Instruction ID: 3d978de08161bdf378add94dce6545b53e49bcfa393c6a6d5fd735a2b26ab47d
Opcode Fuzzy Hash: 72403c605729b33f41dc903b8094f89f79e814846cd34f283f5d5de5f6c18948
Instruction Fuzzy Hash: 0D21D535900215DFFB73EB68E949B9937F8BB04715F0541A5E2C09B284CFBA99C8CB50

Function 01004CAE Relevance: 10.6, APIs: 7, Instructions: 96
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000104,?,00000001,7591F530,00000000), ref: 01004CFB
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01004D0D
GetExitCodeProcess.KERNELBASE(?,?), ref: 01004D20
CloseHandle.KERNEL32(?,?), ref: 01004D67
CloseHandle.KERNEL32(?), ref: 01004D6F
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01004D9C
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 01004DA9

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 05cf2146d3cb3a1a994f05930313d047acf105d867eac4180c0c86445154b7ef
Instruction ID: 5a155537b353c9cd57f3a89634c1b274d3be44dcdf0063c1db90bf3a96692e15
Opcode Fuzzy Hash: 05cf2146d3cb3a1a994f05930313d047acf105d867eac4180c0c86445154b7ef
Instruction Fuzzy Hash: 22319275541228BEFB33AB64DC48FEA7BBCEB05310F104196F698D2194CA759D81CF64

Function 010043EC Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,00000000,00000000,?,?,?,01006231), ref: 0100440B
LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,UPROMPT,00000000,?,?,?,?,01006231), ref: 01004452

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Part of subcall function 01003AA1: GetLastError.KERNEL32(75934B00,01004684), ref: 01003AAA
Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0

Strings

UPROMPT, xrefs: 010043F9, 010043FE, 01004437
<None>, xrefs: 01004464

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$ErrorFindLastLocal$AllocFreeLoadLockMessageSizeof
String ID: <None>$UPROMPT
API String ID: 226386726-2980973527
Opcode ID: 5621df78db6fb9bc4c81758bdbf51104c654e0ae191e744358777e9de4287252
Instruction ID: 146d34d373b0198092be5e02ab1a2f1c89f0357a0b6c02c78eefd4d2e1b3e036
Opcode Fuzzy Hash: 5621df78db6fb9bc4c81758bdbf51104c654e0ae191e744358777e9de4287252
Instruction Fuzzy Hash: EF1184B1640790BAF3336B626C89E6B7AACD7C6B55F014018FAC1E50C5EBB989018774

Function 01001A5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,01003418,?,?,01003418), ref: 01001A7F
RegDeleteValueA.KERNELBASE(01003418,wextract_cleanup0,?,?,01003418), ref: 01001A91
RegCloseKey.ADVAPI32(01003418,?,?,01003418), ref: 01001A9A

Strings

wextract_cleanup0, xrefs: 01001A61, 01001A89
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01001A75

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: cd9d913e4fd79f3a06ae71b19d601bebc7f3385b073269ceb231d1a8de7b8e18
Instruction ID: 08e6132b78a4405aeda3fa779f53dc0e2de51a409a2e6c94243458a35d58a82b
Opcode Fuzzy Hash: cd9d913e4fd79f3a06ae71b19d601bebc7f3385b073269ceb231d1a8de7b8e18
Instruction Fuzzy Hash: F8E01A34A40248BBF733DB92DD0AF5A7AA9AB04784F500058B281A0095D7B5D901D714

Function 0100645C Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0100646B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 01006488
Part of subcall function 0100646B: GetCurrentProcessId.KERNEL32 ref: 01006494
Part of subcall function 0100646B: GetCurrentThreadId.KERNEL32 ref: 0100649C
Part of subcall function 0100646B: GetTickCount.KERNEL32 ref: 010064A4
Part of subcall function 0100646B: QueryPerformanceCounter.KERNEL32(?), ref: 010064B0

GetCommandLineA.KERNEL32 ref: 010063E9
GetStartupInfoA.KERNEL32(?), ref: 01006428
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 01006443
ExitProcess.KERNEL32 ref: 01006450

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentProcessTime$CommandCountCounterExitFileHandleInfoLineModulePerformanceQueryStartupSystemThreadTick
String ID:
API String ID: 4244892483-0
Opcode ID: 8eca9f7f715971f7e939c949c439528cd9193f0ffc909e1846a034fe0de0fca6
Instruction ID: 28ebec749969a0dba5d051bd69dfa24efec2f660701a2f3e5969e2e7d4d3e92f
Opcode Fuzzy Hash: 8eca9f7f715971f7e939c949c439528cd9193f0ffc909e1846a034fe0de0fca6
Instruction Fuzzy Hash: 7A01B1718043949AFB731FAC8449BF97FEB9F16208F650495E9C1D61C2CAB685E383A1

Function 0100409F Relevance: 6.3, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,00000008,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040B1
lstrlenA.KERNEL32(01005168,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040D5
LocalAlloc.KERNEL32(00000040,00000001,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040DF
LocalFree.KERNEL32(00000000,000004B5,00000000,00000000,00000010,00000000,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040FD

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

lstrcpyA.KERNEL32(00000000,01005168,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 0100410B

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Local$Alloc$FreeMessagelstrcpylstrlen
String ID:
API String ID: 3247521446-0
Opcode ID: c08762a5925630561dce2ba68a971d21afc39e1fb6e013559b2dd62ac13e195b
Instruction ID: 484c8a38b1ca8798ae1f4b11a91829ed48787486965810eb3b8ebf67eea7932b
Opcode Fuzzy Hash: c08762a5925630561dce2ba68a971d21afc39e1fb6e013559b2dd62ac13e195b
Instruction Fuzzy Hash: 860188B52402087FF3239F65AC85FABBA5DE754794F008025F7C5D60C4D7B69C504764

Function 0100502E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 01002EFD: lstrlenA.KERNEL32(00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F0D
Part of subcall function 01002EFD: lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F14

SetFileAttributesA.KERNELBASE(?,00000000,?,?,?,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010050D8
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 010050FD

Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C17C,?,?,?,?,01005180,?), ref: 010032C8
Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C280,?,?,?,?,01005180,?), ref: 010032D2
Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C384,?,?,?,?,01005180,?), ref: 010032DC

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0100508D, 0100510C

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrcpy$lstrlen$AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1052324692-1193786559
Opcode ID: f19e61d64bcb31124e15a0de3fd3c72425a8ff17acc2b1c39f114b4d5d9fea0a
Instruction ID: 90c2899bc6a778b52ee834594eec5cb3686ca2a893eb7b206c14bf922d2a115a
Opcode Fuzzy Hash: f19e61d64bcb31124e15a0de3fd3c72425a8ff17acc2b1c39f114b4d5d9fea0a
Instruction Fuzzy Hash: E831823650060AAAFB73DB78CD05AEB77E8AB18750F044555BAD5D60C0EE74DA84CFA0

Function 010031EE Relevance: 4.5, APIs: 3, Instructions: 38timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,00000104,00000104), ref: 01003217
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01003229
SetFileTime.KERNELBASE(?,?,?,?), ref: 0100323F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: a85077572743f2c403f9a8a18ce59d41622f36ce07e64cd569effb84dd5ba5dd
Instruction ID: 40f91eae84c0d30797b84d3855ee905c98267c5d71123f35ca3de860f136514f
Opcode Fuzzy Hash: a85077572743f2c403f9a8a18ce59d41622f36ce07e64cd569effb84dd5ba5dd
Instruction Fuzzy Hash: C8F03C7260011AAFAB22DFA4CD45CFB7BACFA44340F000569B9A6D6095EB31D518CBA0

Function 01001EDF Relevance: 4.5, APIs: 3, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,01004D5B,00000000,00020019,01004D5B,00000000,01004D5B,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241), ref: 01001EFD
RegQueryValueExA.KERNELBASE(01004D5B,?,00000000,00000000,00000000,?,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241,00000003), ref: 01001F14
RegCloseKey.KERNELBASE(01004D5B,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241,00000003,00000000,01002D1B,?,01004D5B,?), ref: 01001F24

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 40f801ecea3a8f97b9f9c960bc3d2ecb8093f2fd098167d5a3c61593dd613369
Instruction ID: 2ca24a09e34f2df9065e4514fbcabbf1d6ca945d8222d5e896961b6e325d8fb3
Opcode Fuzzy Hash: 40f801ecea3a8f97b9f9c960bc3d2ecb8093f2fd098167d5a3c61593dd613369
Instruction Fuzzy Hash: 4DF0B775601128FBEB219F92DD08DDBBE6CEF457A0F108055FD4996110D771DA10DBA0

Function 0100412E Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000180,80000000,00000000,00000000,00008000,00000080,00000000,00000000,00000000,00000000,?,?,0100427B,00000180,00008000,?), ref: 010041A8
CreateFileA.KERNEL32(00000180,80000000,00000000,00000000,00000003,00000080,00000000,00000180,?,?,0100427B,00000180,00008000,?,?,01004303), ref: 010041CA

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b69cf7712ea0dd325566fc773e9ea564160eeb22ca95d34820805d5e9552cd5a
Instruction ID: ad9754ded69d89190427acfe716f1ac8fe926d72f3e8cb2752d49aa3ea161600
Opcode Fuzzy Hash: b69cf7712ea0dd325566fc773e9ea564160eeb22ca95d34820805d5e9552cd5a
Instruction Fuzzy Hash: 661173B265410CBAFB124E69CC44FEA7BA8EB613A8F148225FB64D61D0C379CD41DB54

Function 010041D8 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000180,*MEMCAB,00000000,00000001,?,01004303,*MEMCAB,00008000,00000180,00000000), ref: 01004221

Strings

*MEMCAB, xrefs: 01004219

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrcmp
String ID: *MEMCAB
API String ID: 1534048567-3211172518
Opcode ID: 8d1886825cf7cf1b7fca3806ded3f6736f8ae30cbe39c047e8d4af6a682cd926
Instruction ID: 92061fbbc721102d292826fa71bb98d8294175fcbeac33c2f5b1cd223c837d31
Opcode Fuzzy Hash: 8d1886825cf7cf1b7fca3806ded3f6736f8ae30cbe39c047e8d4af6a682cd926
Instruction Fuzzy Hash: C11175716412049FF7639F18C984AB57B94FB00358F4643E9F6D9CA1E6CBB1C8458B54

Function 01003072 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01002C91: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 01002CB7
Part of subcall function 01002C91: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CC9
Part of subcall function 01002C91: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CEC

WriteFile.KERNELBASE(?,?,?,00000000), ref: 010030AA

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 3e01d822541ebd2f5a5feccbb733383a8b69a22151e5f48031294b1a04767e1f
Instruction ID: 5e22b0a0ad35bde250d44ec082465892956c20a04e3cac16195ac4398cecf9f5
Opcode Fuzzy Hash: 3e01d822541ebd2f5a5feccbb733383a8b69a22151e5f48031294b1a04767e1f
Instruction Fuzzy Hash: C00180352012499FE7378F5EDC49B693BAAF780725F044225F6A58A1F4CBB69855CB00

Function 010066CF Relevance: 3.0, APIs: 2, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
CharPrevA.USER32(00000104,0100C89A,0100C89A,?,01003991,0100C89A,00000104,01001271), ref: 010066F8

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CharPrevlstrlen
String ID:
API String ID: 2709904686-0
Opcode ID: e495bcc581d825eadedbe2fa0249395852abc95ba879f853f598c9e8d998fbc5
Instruction ID: 01c4db8a04a40ec1d325de77efd8d7371b3f1bfb3a4b2ec35a0bf0181df07810
Opcode Fuzzy Hash: e495bcc581d825eadedbe2fa0249395852abc95ba879f853f598c9e8d998fbc5
Instruction Fuzzy Hash: 6EF04F35004185EEF7235B18CC88FAA7FAAAB86210F254089F5D98B191D776A861C775

Function 01004FAF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0100672A: GetFileAttributesA.KERNELBASE(010027CD,?,010027CD,?), ref: 01006732

SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,01005130,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01005017

Part of subcall function 01004819: FindResourceA.KERNEL32(00000000,?,00000005), ref: 0100482A
Part of subcall function 01004819: LoadResource.KERNEL32(00000000,00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004838
Part of subcall function 01004819: DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 01004857
Part of subcall function 01004819: FreeResource.KERNEL32(00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004860

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: 15533c963bdbaf2dc0db71d40a62985233d9100adaf64bd12ed8ea99689cfee2
Instruction ID: 29f51442478ac074da39ef7c59ef3f45121b76390a107e31bb9452852c9f7bc5
Opcode Fuzzy Hash: 15533c963bdbaf2dc0db71d40a62985233d9100adaf64bd12ed8ea99689cfee2
Instruction Fuzzy Hash: CDF0C2311513096AF7779B28AC84B6A3AD8EB01764F004166F7C05A0C5DAB64940DF99

Function 010047B3 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 010047D2

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Part of subcall function 01003AA1: GetLastError.KERNEL32(75934B00,01004684), ref: 01003AAA
Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$DirectoryMessageWindows
String ID:
API String ID: 824312211-0
Opcode ID: a63b46b062514857be110c96dae86808175c38fb7f59bc9fdd18efadcea2d857
Instruction ID: fd3234c94b0ccb30078aef88c93f716d7f268c6b22518fee9330ebb3e3fc8867
Opcode Fuzzy Hash: a63b46b062514857be110c96dae86808175c38fb7f59bc9fdd18efadcea2d857
Instruction Fuzzy Hash: E1F08270A403057AF722EB709C46FEA33ACA750700F004460B6C1EB0C1DAB49D848B14

Function 0100672A Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(010027CD,?,010027CD,?), ref: 01006732

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fc34f9762965e922ec69309eca6e6d82ef122b58ec165bd24e8a40cd18f7f548
Instruction ID: fe60699710c37628f3a1ec2a8e4606557de7a92a1d7bfb60a33c4a11166a432d
Opcode Fuzzy Hash: fc34f9762965e922ec69309eca6e6d82ef122b58ec165bd24e8a40cd18f7f548
Instruction Fuzzy Hash: EBC0803301440C6767125575DC098763E46F741374F504720F1BBC41D0DF7BD4A1D150

Function 0100637A Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 010053FA: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01005485
Part of subcall function 010053FA: SetEvent.KERNEL32(00000000,?,00000000), ref: 01005491

CloseHandle.KERNEL32(00000000,00000000,?,?,?,0100644F,00000000), ref: 010063CC

Part of subcall function 01003346: SetFileAttributesA.KERNELBASE(005E5CB8,00000080,?,00000000), ref: 01003387
Part of subcall function 01003346: DeleteFileA.KERNELBASE(005E5CB8,?,00000000), ref: 0100338F
Part of subcall function 01003346: LocalFree.KERNEL32(005E5CB8,?,00000000), ref: 0100339A
Part of subcall function 01003346: LocalFree.KERNEL32(005E5CB8,?,00000000), ref: 0100339D
Part of subcall function 01003346: lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010033CE
Part of subcall function 01003346: SetCurrentDirectoryA.KERNELBASE(01001344), ref: 010033EE

Part of subcall function 01002251: ExitWindowsEx.USER32(00000002,00000000), ref: 01002296

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: EventFileFreeLocal$AttributesCloseCreateCurrentDeleteDirectoryExitHandleWindowslstrcpy
String ID:
API String ID: 3566781794-0
Opcode ID: 360fb856e433d93ef5c6abbea1fa4c6ea4acfdbb5a2bf550e81dc508a18bc19c
Instruction ID: a0c14d9bb266869afe735ce61a49557cb3a3a2021fce37bd23befcfbf90a69dd
Opcode Fuzzy Hash: 360fb856e433d93ef5c6abbea1fa4c6ea4acfdbb5a2bf550e81dc508a18bc19c
Instruction Fuzzy Hash: A4F0893160061557FB33AFA5E904BDB3BD9EB11361F04D450F9C4A6184CB7BD9748B94

Function 01003108 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,00000000,00000000,?,0100433C,00000000,?,?,?,?,?,00000000), ref: 01003145

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ddf299c9d854a60029591bd0d9130fc256d7a927763a6f5153bdca3c177d8727
Instruction ID: ddcf91d87cb97e1f61d19a99827c2554d1a57a890e9a07dc5fc143585956e2ac
Opcode Fuzzy Hash: ddf299c9d854a60029591bd0d9130fc256d7a927763a6f5153bdca3c177d8727
Instruction Fuzzy Hash: 78F03632501B11EEA3A38F1995405EA7BE5FA84350B110669D5EEC6250DB30E4018B50

Function 01003275 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 0100327F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 7b71b831925a2d90643e7752b1a2709e506846632fe93e76af179d897e7101ca
Instruction ID: 4bb07ebccd0d412d478b25c00f2aeddb319c24c1cf8280db505fbd4cc18ddfdc
Opcode Fuzzy Hash: 7b71b831925a2d90643e7752b1a2709e506846632fe93e76af179d897e7101ca
Instruction Fuzzy Hash: E0B0123214424CB7CB111BD2E809FD53F1DD7C5772F004001F64C05141CAB3D4508791

Function 0100328C Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 01003294

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 551bb148dbce71ccb86f60d786338309b3c648a378d05cbb00bb3c74f7e7c821
Instruction ID: faa09d8b584007b82b20e1d52ea593548f9e5b6d19939489179b90da4771cbc5
Opcode Fuzzy Hash: 551bb148dbce71ccb86f60d786338309b3c648a378d05cbb00bb3c74f7e7c821
Instruction Fuzzy Hash: EAB0123100414CF7CF111B42E8088857F2DD6C0360B004010F48C420118F73D81186A0

Non-executed Functions

Function 01001760 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010016B4: LoadLibraryA.KERNEL32(advapi32.dll,SeetrolClient,00000000,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 010016E6
Part of subcall function 010016B4: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010016FA
Part of subcall function 010016B4: AllocateAndInitializeSid.ADVAPI32(010017A0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01001726
Part of subcall function 010016B4: FreeSid.ADVAPI32(?), ref: 0100173A
Part of subcall function 010016B4: FreeLibrary.KERNEL32(?,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 01001743

GetCurrentProcess.KERNEL32(00000008,0100561B,?,00000000,?,?,0100561B,?,?,00000000), ref: 010017AE
OpenProcessToken.ADVAPI32(00000000,?,?,0100561B,?,?,00000000), ref: 010017B5
GetTokenInformation.ADVAPI32(0100561B,00000002,00000000,00000000,?,00000001,?,?,0100561B,?,?,00000000), ref: 010017D5
GetLastError.KERNEL32(?,?,0100561B,?,?,00000000), ref: 010017DF
LocalAlloc.KERNEL32(00000000,?,SeetrolClient,?,?,0100561B,?,?,00000000), ref: 010017F3
GetTokenInformation.ADVAPI32(0100561B,00000002,00000000,?,?,?,?,0100561B,?,?,00000000), ref: 0100180C
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0100561B,?), ref: 01001829
EqualSid.ADVAPI32(00000004,?,?,?,0100561B,?,?,00000000), ref: 0100183F
FreeSid.ADVAPI32(?,?,?,0100561B,?,?,00000000), ref: 01001861
LocalFree.KERNEL32(00000000,?,?,0100561B,?,?,00000000), ref: 01001868
CloseHandle.KERNEL32(0100561B,?,?,0100561B,?,?,00000000), ref: 01001872

Strings

SeetrolClient, xrefs: 010017EE

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID: SeetrolClient
API String ID: 2168512254-1061602984
Opcode ID: f21df1777e37cdd6f0ec34d387a85b1e37b56b33b539e6758f9be16fc240ee8c
Instruction ID: 4672b0472d1bbbfd446eee883f18bb1d65bf3648c25b20912db4fd6b3c782e19
Opcode Fuzzy Hash: f21df1777e37cdd6f0ec34d387a85b1e37b56b33b539e6758f9be16fc240ee8c
Instruction Fuzzy Hash: E0317E71A0024AAFEB22DFA5DC44AEEBBB9EB04344F544465F6C1E2181D775DB04CB60

Function 010019C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,?,?,0100644F), ref: 010019D2
OpenProcessToken.ADVAPI32(00000000,?,0100644F), ref: 010019D9
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010019FB
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000), ref: 01001A1A

Strings

SeShutdownPrivilege, xrefs: 010019F5

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 2349140579-3733053543
Opcode ID: c17b7cf3f8bdb7068d93d2025f9cbb3199983dd50f7b35b7e72ddddd59bfcf11
Instruction ID: 6422d8529b1dadd26b9958a069e7ff89d807a817af3ba06e0855e17f5c681b04
Opcode Fuzzy Hash: c17b7cf3f8bdb7068d93d2025f9cbb3199983dd50f7b35b7e72ddddd59bfcf11
Instruction Fuzzy Hash: D9018071642225BAF7329BA24C0DFEB7EACEF46794F000010BA8AE40C5D6B5D640C6F5

Function 0100488C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000001,SeetrolClient), ref: 010048C3
MessageBeep.USER32(00000000), ref: 01004AE5
MessageBoxA.USER32(00000000,?,SeetrolClient,?), ref: 01004B67

Strings

3, xrefs: 01004937
SeetrolClient, xrefs: 0100489C, 01004B5F, 01004B97

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$SeetrolClient
API String ID: 2519184315-4008951718
Opcode ID: bbac37c54156140ae347d57a3b35535c524f278f106985dda0b5bbdecba9b7f6
Instruction ID: f0403928f5bfd85afffa019898604f23ae46fd7ae9a1f1be602ae879ebbcfb00
Opcode Fuzzy Hash: bbac37c54156140ae347d57a3b35535c524f278f106985dda0b5bbdecba9b7f6
Instruction Fuzzy Hash: D881AB70A016159EFB739F18C944BEABBF5FF89304F0440E9D6C9D6294E7B19A90CB09

Function 0100646B Relevance: 7.5, APIs: 5, Instructions: 36timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 01006488
GetCurrentProcessId.KERNEL32 ref: 01006494
GetCurrentThreadId.KERNEL32 ref: 0100649C
GetTickCount.KERNEL32 ref: 010064A4
QueryPerformanceCounter.KERNEL32(?), ref: 010064B0

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1c9a6aecb8a7c21b59f0650fcfd769be0ce501fac9dd4907ed4c08a4f18fdedf
Instruction ID: 54730ea4cddf6389e8530bc477ef8a499c223e9ef8984b798b14dd8bf7ea62bb
Opcode Fuzzy Hash: 1c9a6aecb8a7c21b59f0650fcfd769be0ce501fac9dd4907ed4c08a4f18fdedf
Instruction Fuzzy Hash: 76F0EC76D002189BDB22ABB4D44859FBBF5FF08350F420561E481E7145DB3AE9008B80

Function 010064DE Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00000001), ref: 010065CC
UnhandledExceptionFilter.KERNEL32(?), ref: 010065D6
GetCurrentProcess.KERNEL32(00000502), ref: 010065E1
TerminateProcess.KERNEL32(00000000), ref: 010065E8

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: f1286b280cafa843d75f99a14fc8f82f3d62a7f6c1ba433f05c714c2799dff35
Instruction ID: b59ea808f46e4147d566023df9ea61253988435faf81cc8e47133db2c15ee704
Opcode Fuzzy Hash: f1286b280cafa843d75f99a14fc8f82f3d62a7f6c1ba433f05c714c2799dff35
Instruction Fuzzy Hash: C531AEB9811228DBCB62DF69D9886CDBBB4FF08300F1041EAE90DA7250E7759B80CF44

Function 01002251 Relevance: 1.5, APIs: 1, Instructions: 28shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000002,00000000), ref: 01002296

Part of subcall function 010019C3: GetCurrentProcess.KERNEL32(00000028,?,00000000,?,?,0100644F), ref: 010019D2
Part of subcall function 010019C3: OpenProcessToken.ADVAPI32(00000000,?,0100644F), ref: 010019D9

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID:
API String ID: 2795981589-0
Opcode ID: 420c96242fa3157512202e22d0b8ebdcd833ac1dce7af4aa444d86af65753e98
Instruction ID: e33f48b50889edb50da26cd91ad888bdbb36bf76c4c41118ded2b148f08d8a8c
Opcode Fuzzy Hash: 420c96242fa3157512202e22d0b8ebdcd833ac1dce7af4aa444d86af65753e98
Instruction Fuzzy Hash: 6FE09A70A8434932FAB3A2D59C0EF692A845B62B25F208085FBC8684C2CAF49181815B

Function 01008D30 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e37c8e59d370cba1b79e2833ac6a9557f5172701d9d4ce888899f9a07600e1
Instruction ID: 468bd13540a7a8e1e15fa3d18c9ba0b5a07ae845a61fb176c922dc8a52935b18
Opcode Fuzzy Hash: 69e37c8e59d370cba1b79e2833ac6a9557f5172701d9d4ce888899f9a07600e1
Instruction Fuzzy Hash: 58C16431D082959FDB17CF68C4903EDBBB0BF05318F1986EAD5DAAB282C7755585CB80

Function 010090EF Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49ecdbbd15c805b817825467e3ab257e7912dc88202fa3f4aac332ab1c103e2
Instruction ID: 870015403e087abe340ce6e05053c73293e887c99825daff4bd9619c2dc303d0
Opcode Fuzzy Hash: c49ecdbbd15c805b817825467e3ab257e7912dc88202fa3f4aac332ab1c103e2
Instruction Fuzzy Hash: F1C16A319082959FDB1BCF68C4946EDBBF0BF05318F1985ADD8D96B283C7749A85C780

Function 010086B0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c78dcb210a7ad195f109f7b530287782e77eddada4df64eab5718b176e0cdd
Instruction ID: 22ffaeb0a6e2a1ef91fd1e6bcc7dbb4869573d8dcfb2b92706c9b6f11e52960c
Opcode Fuzzy Hash: 35c78dcb210a7ad195f109f7b530287782e77eddada4df64eab5718b176e0cdd
Instruction Fuzzy Hash: B7A16131D086959FDB1ACF58C0902EDFBB1BF45314F19C1EED99A6B282C7749A85CB80

Function 010089C7 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45ee8e38ec0de0b5b29df03f3c6728f3e9556d8eccf4768ce62458cc2224ace
Instruction ID: 910b566080ec41b85210969ddc27d27957fafb55222e9db21d2e5af3b8c6c0e3
Opcode Fuzzy Hash: e45ee8e38ec0de0b5b29df03f3c6728f3e9556d8eccf4768ce62458cc2224ace
Instruction Fuzzy Hash: 43B1AA71D086999FDB1BCF18C4946EEBBB1FF45310F18C6AED8965B282C3709685CB90

Function 01009548 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323a3cdd83c66f66d8404e8d91f46b246e9a2df6f3d254d65cf4b776fbde4932
Instruction ID: 560d9e77101a3d54d7f1f1142632cc87a23024190c9beea67a472d2972b10f20
Opcode Fuzzy Hash: 323a3cdd83c66f66d8404e8d91f46b246e9a2df6f3d254d65cf4b776fbde4932
Instruction Fuzzy Hash: 9E911531904556DEEB1BDF69C8847FDB7B0BB04708F5080ABD98DA62C2D7749985CF90

Function 01009982 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction ID: 8d605a23a874b4b4edeec9aa34210230c74d61ef6ff642ff29c991e5017ccf41
Opcode Fuzzy Hash: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction Fuzzy Hash: 55610431B0055A8FEF1ACE6CC4501BEB7A2EFC9354F558469D9E6D7382DA308992CB80

Function 0100359C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 361stringCOMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,00000001,SeetrolClient,00000000), ref: 01003601
GetModuleFileNameA.KERNEL32(0100C99E,00000104,00000001,SeetrolClient,00000000), ref: 010036CF
CharUpperA.USER32(?), ref: 01003716
CharUpperA.USER32(-0000004F), ref: 010037A5
lstrcmpiA.KERNEL32(RegServer,?), ref: 01003825
CharUpperA.USER32(?), ref: 01003856
CharUpperA.USER32(-0000004E), ref: 010038BA
lstrlenA.KERNEL32(0000002F), ref: 01003921
CharUpperA.USER32(?,0000002F,?), ref: 01003952
lstrcpyA.KERNEL32(0100C89A,0000002F), ref: 0100397B
lstrlenA.KERNEL32(0000002F), ref: 010039E2
lstrcpyA.KERNEL32(0100CAA2,0000002F,0000002F,?,0000002F,0000005D,0000002F,0000005B), ref: 01003A57
CloseHandle.KERNEL32(00000000), ref: 01003A6E
ExitProcess.KERNEL32 ref: 01003A76

Strings

", xrefs: 010039CB
:, xrefs: 010039BC
RegServer, xrefs: 01003820
-, xrefs: 010036FB
SeetrolClient, xrefs: 010035AD

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Char$Upper$lstrcpylstrlen$CloseExitFileHandleModuleNameNextProcesslstrcmpi
String ID: "$-$:$RegServer$SeetrolClient
API String ID: 497476604-4288489837
Opcode ID: 794e446cbad3e2b7cdf7e932ea0521a881f1aef766460360d9a64afcbe4b84b2
Instruction ID: bb19260d6a52b5aa4d74d53b6b2143bc91a7fcd92ee9301d96aa0320e1ef3d88
Opcode Fuzzy Hash: 794e446cbad3e2b7cdf7e932ea0521a881f1aef766460360d9a64afcbe4b84b2
Instruction Fuzzy Hash: D7D1D271D086959EFB778B2C8D083BA7EE4BB16310F0881D9D5C99E1C5CBB886C58F52

Function 01003EBE Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 150stringmemorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01002ECE: LoadStringA.USER32(?,00000001,00000200,LoadString() Error. Could not load string resource.), ref: 01002EEB

MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B
lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,SeetrolClient,00000000), ref: 01003F7E
lstrlenA.KERNEL32(0000007F), ref: 01003F83
lstrlenA.KERNEL32(00000000), ref: 01003F8E
LocalAlloc.KERNEL32(00000040,00000064), ref: 01003F97
wsprintfA.USER32 ref: 01003FB2
lstrlenA.KERNEL32(0000007F,?,?,00000200,00000001,SeetrolClient,00000000), ref: 01003FC8
lstrlenA.KERNEL32(00000000), ref: 01003FD3
LocalAlloc.KERNEL32(00000040,00000064), ref: 01003FDC
wsprintfA.USER32 ref: 01003FF5
lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,SeetrolClient,00000000), ref: 01004007
LocalAlloc.KERNEL32(00000040,00000001), ref: 01004011
lstrcpyA.KERNEL32(00000000,00000000), ref: 01004029
MessageBeep.USER32(?), ref: 01004032
MessageBoxA.USER32(?,00000000,SeetrolClient,00000000), ref: 01004075
LocalFree.KERNEL32(00000000), ref: 0100407E

Part of subcall function 010068B3: GetVersionExA.KERNEL32(?), ref: 010068FC
Part of subcall function 010068B3: GetSystemMetrics.USER32(0000004A), ref: 01006933
Part of subcall function 010068B3: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01006959
Part of subcall function 010068B3: RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,?,0000000C,?), ref: 01006983
Part of subcall function 010068B3: RegCloseKey.ADVAPI32(?), ref: 01006991

Strings

LoadString() Error. Could not load string resource., xrefs: 01003EDE
SeetrolClient, xrefs: 01003ED9, 01003F4C, 01004069

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrlen$Local$AllocMessage$wsprintf$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersionlstrcpy
String ID: LoadString() Error. Could not load string resource.$SeetrolClient
API String ID: 374963636-2389519771
Opcode ID: 6e6d68f176d476745e32004f49a78736f7c082e95af37230175d7f171fa7616c
Instruction ID: eea99181f0804644aa289dd1498f83149dc0c4724dca30bca3b9ea1b6c7227c8
Opcode Fuzzy Hash: 6e6d68f176d476745e32004f49a78736f7c082e95af37230175d7f171fa7616c
Instruction Fuzzy Hash: 27518F71900619ABFB23EB64DD49BAB7BB9FF04340F0400A1FAC5E6180DB75DA508F60

Function 01005670 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 185windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(000003E8,0100B640,00000200), ref: 010056CB
GetDesktopWindow.USER32 ref: 0100582A
SetWindowTextA.USER32(?,SeetrolClient), ref: 01005840
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01005859
GetDlgItem.USER32(?,00000836), ref: 01005872
EnableWindow.USER32(00000000), ref: 01005879
EndDialog.USER32(?,00000000), ref: 01005886

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01005755, 0100575A, 01005771, 0100577F, 01005792, 010057AA, 010057B9, 010057C7, 010057CD, 010057FC
SeetrolClient, xrefs: 0100583A

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$SeetrolClient
API String ID: 2418873061-3842203222
Opcode ID: f6f7937e9cd91d14e9f245cb1c978fb973c810cc65cfd23b5cdd07ac11cca86b
Instruction ID: bceac7bff489e274393193b6e50ad7b08821bdc7de2992364884c992066ff592
Opcode Fuzzy Hash: f6f7937e9cd91d14e9f245cb1c978fb973c810cc65cfd23b5cdd07ac11cca86b
Instruction Fuzzy Hash: D151B470240685BAF6731B269C4CFAB3DACEBC6B55F004124BAC5A90C5DBB5CA51CBB4

Function 0100589B Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000), ref: 010058DA
EndDialog.USER32(?,?), ref: 010058E6
ResetEvent.KERNEL32 ref: 01005907
SetEvent.KERNEL32(000004B2,01001271,00000000,00000020,00000004), ref: 01005937
GetDesktopWindow.USER32 ref: 0100596E
GetDlgItem.USER32(?,0000083B), ref: 0100599E
SendMessageA.USER32(00000000,?,?,00000000), ref: 010059A7
GetDlgItem.USER32(?,0000083B), ref: 010059B9
SendMessageA.USER32(00000000,?,?,00000000), ref: 010059BC
SetWindowTextA.USER32(?,SeetrolClient), ref: 010059CA
CreateThread.KERNEL32(00000000,00000000,Function_00005190,00000000,00000000,0100BA48), ref: 010059DE
EndDialog.USER32(?,00000000), ref: 010059FF
EndDialog.USER32(?,00000000), ref: 01005A24

Strings

SeetrolClient, xrefs: 010059C4

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Dialog$EventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: SeetrolClient
API String ID: 2636921890-1061602984
Opcode ID: d3500fe9f7f5db743cd9965e837850aa1de798782591f39a44d4ee80d603ffb1
Instruction ID: 15f982f993cd47813f1b622385cc2ed99f85bd15372d9b845fe613da468a2202
Opcode Fuzzy Hash: d3500fe9f7f5db743cd9965e837850aa1de798782591f39a44d4ee80d603ffb1
Instruction Fuzzy Hash: 4C41B135500325BBEB335B689C49EAF3EA8EB4BB61F004111F6C5A50D9C7BA8951CF90

Function 01004E73 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 110libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,0100B640,0100B338,?), ref: 01004E83
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 01004EA4
GetProcAddress.KERNEL32(00000000,000000C3), ref: 01004EB7
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 01004ECA
GetTempPathA.KERNEL32(00000104,0100BA80), ref: 01004EEA
lstrlenA.KERNEL32(0100BA80), ref: 01004EF1
CharPrevA.USER32(0100BA80,00000000), ref: 01004F01
CharPrevA.USER32(0100BA80,00000000), ref: 01004F0D
lstrcpyA.KERNEL32(?,0100BA80), ref: 01004F5E
FreeLibrary.KERNEL32(?), ref: 01004F6D
FreeLibrary.KERNEL32(00000000), ref: 01004F7D

Strings

SHELL32.DLL, xrefs: 01004E7E
SHBrowseForFolder, xrefs: 01004E9E
SHGetPathFromIDList, xrefs: 01004EC4

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemplstrcpylstrlen
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 2439948570-1731843650
Opcode ID: 2e9765e9f73174fdabd9105ff3870c025ec8e8cc93456301d0d3cae1497260b0
Instruction ID: fe0e6358b7e97da39a092ede048a89c2912f00ab584277418b1ac7d42fbd63d6
Opcode Fuzzy Hash: 2e9765e9f73174fdabd9105ff3870c025ec8e8cc93456301d0d3cae1497260b0
Instruction Fuzzy Hash: 9B318CB1905258BFEB139FA5CC88DFEBFB8EB49340F144069F684E6280C7758941CBA4

Function 010022AC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105registrystringCOMMON

Download Yara Rule

APIs

CharUpperA.USER32(0000F5B0,?,00000085,00000000), ref: 010022E0
CharNextA.USER32(?), ref: 010022EF
CharNextA.USER32(00000000), ref: 010022F2
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000104,00000000), ref: 0100234D
RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,-00000004,?), ref: 01002377
ExpandEnvironmentStringsA.KERNEL32(-00000004,?,00000104), ref: 01002393
RegCloseKey.ADVAPI32(?), ref: 010023C8
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0100231F

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

GetWindowsDirectoryA.KERNEL32(-00000004,0000054D), ref: 010023D4
GetSystemDirectoryA.KERNEL32(-00000004,0000054D), ref: 010023E0

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 01002308

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindowslstrcpylstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2880253981-2428544900
Opcode ID: 7336e8143879b37cb86321436bf8a53eaa814517ff0876aac997468360ad53a5
Instruction ID: 1ad0f1247c1ed9861ce20e69da4a43a8ce288dfb09bb26ecbceeb403ef27fb39
Opcode Fuzzy Hash: 7336e8143879b37cb86321436bf8a53eaa814517ff0876aac997468360ad53a5
Instruction Fuzzy Hash: D7314A75904218AFEF239B64DC49FEE7BBDAF15310F008095F6C5E2081DBB99A948F61

Function 01001CF4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 82registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000000), ref: 01001D2D
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,7591F530), ref: 01001D62
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001D92
wsprintfA.USER32 ref: 01001DC6
lstrlenA.KERNEL32(?), ref: 01001DD6
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,00000001), ref: 01001DEF

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

RegCloseKey.ADVAPI32(?), ref: 01001DFC

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01001DAE
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 01001DC0
wextract_cleanup0, xrefs: 01001D07, 01001D4C, 01001D51, 01001DE8
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01001D23

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Valuelstrlen$CloseDirectoryOpenQuerySystemwsprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2431697979-2874043782
Opcode ID: 7ccf2c186cec699dfa9e19b335666aea46083c7a505e779869d620471afed035
Instruction ID: ab331a59c0f7b6da72724869899c66218a158f7d6afaae21f27dd4f7a2236e07
Opcode Fuzzy Hash: 7ccf2c186cec699dfa9e19b335666aea46083c7a505e779869d620471afed035
Instruction Fuzzy Hash: 81210175A00258ABEB33DB55DC49EDE7BBDEB44740F0000A9F689E6045DAB5EB84CB60

Function 01003AC7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 01003AFB
FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003B07
LoadResource.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B1C
LockResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B23
lstrlenA.KERNEL32(00000008,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B3E
FreeResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B58
wsprintfA.USER32 ref: 01003B6D
FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003B7A
FreeResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B99

Strings

UPDFILE%lu, xrefs: 01003AEB, 01003B67

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$FindFreewsprintf$LoadLocklstrlen
String ID: UPDFILE%lu
API String ID: 3821519360-2329316264
Opcode ID: 576a9d2a41689e10918246a17bc41e24b95d99357cd218a458b2db2c03cc483b
Instruction ID: c1f926839f5bccd6bd9dba539fb315616eac7d52b92b8f90cc2973ba09a331c2
Opcode Fuzzy Hash: 576a9d2a41689e10918246a17bc41e24b95d99357cd218a458b2db2c03cc483b
Instruction Fuzzy Hash: 39313E76A00609EFEB22DFA5D848EEEBBB9FB48705F004019F685E7140D77A9501CFA1

Function 01002410 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 0100256C

Part of subcall function 010022AC: CharUpperA.USER32(0000F5B0,?,00000085,00000000), ref: 010022E0
Part of subcall function 010022AC: CharNextA.USER32(?), ref: 010022EF
Part of subcall function 010022AC: CharNextA.USER32(00000000), ref: 010022F2
Part of subcall function 010022AC: lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0100231F
Part of subcall function 010022AC: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000104,00000000), ref: 0100234D
Part of subcall function 010022AC: RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,-00000004,?), ref: 01002377
Part of subcall function 010022AC: ExpandEnvironmentStringsA.KERNEL32(-00000004,?,00000104), ref: 01002393
Part of subcall function 010022AC: RegCloseKey.ADVAPI32(?), ref: 010023C8

GetFileVersionInfoSizeA.VERSION(00000001,?,00000001,?,?,0000054D,-00000004,?,?,00000104,?,?,?,?,?,?), ref: 01002470
GlobalAlloc.KERNEL32(00000042,00000000,0000003C,?,0000003C,?,?,00000001,?,00000001,?,?,0000054D,-00000004,?,?), ref: 01002483
GlobalLock.KERNEL32(00000000), ref: 01002495
GetFileVersionInfoA.VERSION(0000003C,?,?,00000000), ref: 010024AF
VerQueryValueA.VERSION(00000000,010012E8,0000003C,0000003C,0000003C,?,?,00000000), ref: 010024C6
GlobalUnlock.KERNEL32(00000000), ref: 0100252D
GlobalUnlock.KERNEL32(00000000), ref: 0100257C

Strings

<, xrefs: 01002544

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpperlstrcpy
String ID: <
API String ID: 1180996843-4251816714
Opcode ID: a61b42028a78b6719a84272888b5fabe7deeadf3e4bb080be80df957aa7dc6f8
Instruction ID: 538557d1a956e60c55ac0e275cb9440454b828f686c89056c6c9e8496247c2c4
Opcode Fuzzy Hash: a61b42028a78b6719a84272888b5fabe7deeadf3e4bb080be80df957aa7dc6f8
Instruction Fuzzy Hash: AA41837190020AEFEF12CF98C898AEDBBF5FF04305F104069EA85A2191D776DA45CF64

Function 01002589 Relevance: 15.1, APIs: 10, Instructions: 99stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,?,00000400), ref: 010025D0
IsDBCSLeadByte.KERNEL32(00000000,00000000), ref: 010025EA
CharNextA.USER32(00000400), ref: 01002608
CharUpperA.USER32(00000000), ref: 01002614
lstrlenA.KERNEL32(?,?), ref: 01002631
CharPrevA.USER32(?,?), ref: 01002642
CharUpperA.USER32(00000000), ref: 0100265A
lstrlenA.KERNEL32(?,?,00000000,00000400,?,?), ref: 01002682
CharNextA.USER32(?), ref: 0100268E
CharNextA.USER32(00000400), ref: 01002697

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Char$Next$Upperlstrlen$ByteFileLeadModuleNamePrev
String ID:
API String ID: 3967807161-0
Opcode ID: a820073371754dc5eeb8d23f47868028148f50acb9d5e774029aed37092d399e
Instruction ID: eaaee00f3e00e4901544a9c651e5066a5a093bae46e09448390e21310fb16754
Opcode Fuzzy Hash: a820073371754dc5eeb8d23f47868028148f50acb9d5e774029aed37092d399e
Instruction Fuzzy Hash: F9317A75804285AEEB739F68CC48BEABFEDAF1A300F140595E5C4D3281DB798981CF61

Function 01003D57 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 01003D8E
GetDesktopWindow.USER32 ref: 01003D9E
SetDlgItemTextA.USER32(?,00000834,?), ref: 01003DBB
SetWindowTextA.USER32(?,SeetrolClient), ref: 01003DC7
SetForegroundWindow.USER32(?), ref: 01003DCE
GetDlgItem.USER32(?,00000834), ref: 01003DDB
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 01003E08

Strings

SeetrolClient, xrefs: 01003DC1

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ItemWindow$Text$DesktopDialogForegroundMessageSend
String ID: SeetrolClient
API String ID: 3995847246-1061602984
Opcode ID: 514f40a5a9973e196b7822fc54060a0ee6dd35ba8ddd69d8be9c4b3aeee3cfc4
Instruction ID: 2a05d3dcf79b5e367ffb0c494342458d3375fcf2b230eec5ab74aad8adfe7076
Opcode Fuzzy Hash: 514f40a5a9973e196b7822fc54060a0ee6dd35ba8ddd69d8be9c4b3aeee3cfc4
Instruction Fuzzy Hash: 3F118F35104245AFFB336FA4EC0CFBA3AA8F745B11F00061AF9D5990C5CBB99591DB90

Function 010016B4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,SeetrolClient,00000000,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 010016E6
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010016FA
AllocateAndInitializeSid.ADVAPI32(010017A0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01001726
FreeSid.ADVAPI32(?), ref: 0100173A
FreeLibrary.KERNEL32(?,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 01001743

Strings

CheckTokenMembership, xrefs: 010016F4
advapi32.dll, xrefs: 010016C8
SeetrolClient, xrefs: 010016C4

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$SeetrolClient$advapi32.dll
API String ID: 4204503880-3412569707
Opcode ID: 80048a897bbb716bc6edda70627e0e87ab6d0b634674ff9098072ab894aeef90
Instruction ID: 7f32255cd53d54b6266d59a01a2c9f788efc2b6a55c7d064e1075484334130e5
Opcode Fuzzy Hash: 80048a897bbb716bc6edda70627e0e87ab6d0b634674ff9098072ab894aeef90
Instruction Fuzzy Hash: 63116072A00289AFDB12DFE9D888ADEBFB9FB14340F444059F285E3181C7759A00CB65

Function 01002E55 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96
FreeResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002EBA

Strings

SeetrolClient, xrefs: 01002E5B

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeof
String ID: SeetrolClient
API String ID: 468261009-1061602984
Opcode ID: 7090d6fbcbd5b277e53ff8aa31aa3d5f4a0baf2b3be01dcc482b1e99473e37a0
Instruction ID: c58e523c2e5cc4a020a6dc9083853665ab900ca59998c1429a4b95f367ba78fb
Opcode Fuzzy Hash: 7090d6fbcbd5b277e53ff8aa31aa3d5f4a0baf2b3be01dcc482b1e99473e37a0
Instruction Fuzzy Hash: 8F01F231300188BBEB239BA5EC88C7F7BAAEBC5761F144019FA85C3280C6768C01DB61

Function 01003E28 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 01003E65
GetDesktopWindow.USER32 ref: 01003E6F
SetWindowTextA.USER32(?,SeetrolClient), ref: 01003E85
SetDlgItemTextA.USER32(?,00000838), ref: 01003E97
SetForegroundWindow.USER32(?), ref: 01003E9E
EndDialog.USER32(?,00000002), ref: 01003EAB

Strings

SeetrolClient, xrefs: 01003E7F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: SeetrolClient
API String ID: 852535152-1061602984
Opcode ID: c58225de05bf9ddd7557f29e4dd6395625a24e078d1bf0613a1e21eb476cea98
Instruction ID: bbd0fe0418d4f9b27c80c161e9fa2716d7c3f6b950bf98ca077586a846113f40
Opcode Fuzzy Hash: c58225de05bf9ddd7557f29e4dd6395625a24e078d1bf0613a1e21eb476cea98
Instruction Fuzzy Hash: FF01BC31500195AFEB635BA8D808DAE7AA8FB09751F008610FAC2DA1C5CB79CE51CB90

Function 01002EFD Relevance: 12.0, APIs: 8, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F0D
lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F14
lstrcpyA.KERNEL32(?,00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F2A
lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F31
lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F3B
lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F45
lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F4C
lstrcatA.KERNEL32(?,?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F57

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: bec1684d548f7f7a66b2a209a78056a6def03e0851b026678931160fd0f5e77e
Instruction ID: 3391c5307bafe4b116acb0d74c5fe46b65c44dc66db5e5de76f5420f3b77b05f
Opcode Fuzzy Hash: bec1684d548f7f7a66b2a209a78056a6def03e0851b026678931160fd0f5e77e
Instruction Fuzzy Hash: BB01A73150829ABEE7139F65DC0CE7F3FE99F85294F044079F58482051CB75D4159BA1

Function 01002D83 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01002D9B
GetWindowRect.USER32(?,?), ref: 01002DB0
GetDC.USER32(?), ref: 01002DC4
GetDeviceCaps.GDI32(00000000,00000008), ref: 01002DD0
GetDeviceCaps.GDI32(?,0000000A), ref: 01002DDE
ReleaseDC.USER32(?,?), ref: 01002DED
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 01002E43

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: e87303e51a87c1f3fcc5427d586fd06ff29c73153c48b8601ce90fe903ab1556
Instruction ID: 967cba225b93383e2e60847015f29d3632c184523d341bb7e68964bb8c44351d
Opcode Fuzzy Hash: e87303e51a87c1f3fcc5427d586fd06ff29c73153c48b8601ce90fe903ab1556
Instruction Fuzzy Hash: 6C215932A0010AAFDF12CFBDCD889EEBBBAEB88300F008125F945E7254D675ED058B50

Function 01004BC8 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

LocalAlloc.KERNEL32(00000040,00000001,LICENSE,00000000,00000000,00000000,00000000,?,01006243), ref: 01004BE4
LocalFree.KERNEL32(00000000,000004B1,00000000,00000000,00000010,00000000,LICENSE,00000000,00000000,?,01006243), ref: 01004C31

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Part of subcall function 01003AA1: GetLastError.KERNEL32(75934B00,01004684), ref: 01003AAA
Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0

LocalFree.KERNEL32(?,01006243), ref: 01004C96

Strings

<None>, xrefs: 01004C43
LICENSE, xrefs: 01004BD1, 01004BD6, 01004C11

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$Local$ErrorFindFreeLast$AllocLoadLockMessageSizeof
String ID: <None>$LICENSE
API String ID: 3899723493-383193767
Opcode ID: 3140a8c6986b73699dba44496860a3482616c9b38ac50fdff47bd2feae5b0e45
Instruction ID: 9697d7adc24e1ebcf24a66d17cc2c8ea39a979045a2e6bc1bc079e37bfc5c796
Opcode Fuzzy Hash: 3140a8c6986b73699dba44496860a3482616c9b38ac50fdff47bd2feae5b0e45
Instruction Fuzzy Hash: 1811B471240695BEF3735B22AD48D6B3AADE7C2B10F004159F6C5D50D8DBBA4801CB34

Function 010068B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 010068FC
GetSystemMetrics.USER32(0000004A), ref: 01006933
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01006959
RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,?,0000000C,?), ref: 01006983
RegCloseKey.ADVAPI32(?), ref: 01006991

Part of subcall function 0100678F: CharNextA.USER32(010069AC,00000000,?,010069AC,?,00000000), ref: 010067CC

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0100694F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: cfd22d1cb8363d992addf5a965baf5ad3a7f3b3c896125044328321e3dcf038f
Instruction ID: 5c6acbc3d5fc57845e32ec3dff29f7de8e8621ecf2eb8ce39a92ab546f5c8395
Opcode Fuzzy Hash: cfd22d1cb8363d992addf5a965baf5ad3a7f3b3c896125044328321e3dcf038f
Instruction Fuzzy Hash: 34215E75A00328EFFF72CB54D948BDA77BDBB05315F0040EAE588A5085DB768A94CF12

Function 01001E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000), ref: 01001E77

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E9D
_lopen.KERNEL32(?,00000040), ref: 01001EAC
_llseek.KERNEL32(00000000,00000000,00000002), ref: 01001EBD
_lclose.KERNEL32(00000000), ref: 01001EC6

Strings

wininit.ini, xrefs: 01001E81

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopenlstrlen
String ID: wininit.ini
API String ID: 979776028-4206010578
Opcode ID: 37f4b3d508ecab28613d6a97bb6e1095e4a2a3c7db2d8278c91ef0a9ab821e8d
Instruction ID: 18cd7f1609499ba71430b944770d53967596a73aa7aa202a5c8f43e0c2a69e76
Opcode Fuzzy Hash: 37f4b3d508ecab28613d6a97bb6e1095e4a2a3c7db2d8278c91ef0a9ab821e8d
Instruction Fuzzy Hash: 9701D476A00154ABE721EB65DC4CEDF3BBC9F85310F040065F6C4E31C0DAB8DA858B60

Function 01004DE5 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

LocalAlloc.KERNEL32(00000040,00000001,FINISHMSG,00000000,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,01006365), ref: 01004E05
LocalFree.KERNEL32(?,?,?,01006365), ref: 01004E63

Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,SeetrolClient,00000000), ref: 01003F5B

Strings

FINISHMSG, xrefs: 01004DF2, 01004DF7, 01004E26
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01004DEB
<None>, xrefs: 01004E3C

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$FindLocal$AllocFreeLoadLockMessageSizeof
String ID: <None>$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$FINISHMSG
API String ID: 1166655539-3079344904
Opcode ID: 945af8c2f13a4e2e23c29a060e4326b8cf96b2cec21a05c610d2a029f1db482c
Instruction ID: b86749c0676bc5709347cbb2394c06ae2176a12615ce74ff3a29be4193e97ba7
Opcode Fuzzy Hash: 945af8c2f13a4e2e23c29a060e4326b8cf96b2cec21a05c610d2a029f1db482c
Instruction Fuzzy Hash: 4E01BC712402C4BAF7236A539D49FAFBE7DDBC2F44F000059B780E50C1D6B58D009278

Function 01003BF2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62filestringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003C2C

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000104,?), ref: 01003C5A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01003C86
CloseHandle.KERNEL32(00000000), ref: 01003CAC

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003C0E

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3630773104-1193786559
Opcode ID: 71a52d343370c3aad0e8bea5e8c7a1ee89124c22f7d04e4a93e1b4e400077d81
Instruction ID: ed493f8371116e651799eec5aa4685a96e44dd350d2c3c94e76b10785d47f5b1
Opcode Fuzzy Hash: 71a52d343370c3aad0e8bea5e8c7a1ee89124c22f7d04e4a93e1b4e400077d81
Instruction Fuzzy Hash: 7D216F75900118ABD722CF56DC88EDA7BB8EB49320F004595F6C9D7180C7B99AC4CFA0

Function 01004819 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,00000005), ref: 0100482A
LoadResource.KERNEL32(00000000,00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004838
DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 01004857
FreeResource.KERNEL32(00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004860

Strings

SeetrolClient, xrefs: 0100481F

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: SeetrolClient
API String ID: 1214682469-1061602984
Opcode ID: b0a883f33820150622e98825acaf097b5103d0973a58d13b59254d27bc385b11
Instruction ID: 4d497d838b3866ab934e730ea3745aad8ad4903298c19d052a2ed601619586ec
Opcode Fuzzy Hash: b0a883f33820150622e98825acaf097b5103d0973a58d13b59254d27bc385b11
Instruction Fuzzy Hash: 3601A2321001AABFEB225FA5AC88CEF7A9DDB85364F010425FB90E3081C6759D10CBE4

Function 01003CCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37librarystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,7591F530), ref: 01003CEF

Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9

GetFileAttributesA.KERNEL32(?,?,00000104,?), ref: 01003D0E
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 01003D28
LoadLibraryA.KERNEL32(?), ref: 01003D31

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003CE3

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LibraryLoad$AttributesFilelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2749481120-1193786559
Opcode ID: efb49a3551e82d2aca852d6b8404bb15e5416ed9f694a26cd63d4ca69129f5e9
Instruction ID: f105a43693de67f3e081fcb7c5b90bd09891202ca5bc0fd204553d5dc91105a1
Opcode Fuzzy Hash: efb49a3551e82d2aca852d6b8404bb15e5416ed9f694a26cd63d4ca69129f5e9
Instruction Fuzzy Hash: B6F0A435904118ABEB22EBA4D808FDD377CAB14310F404481F6C5E71C0DFB8EA848B50

Function 0100189D Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,0000083E), ref: 010018DB
GetDesktopWindow.USER32 ref: 010018E3
LoadStringA.USER32(?,?,00000200,?), ref: 0100190C
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 0100191F
MessageBeep.USER32(000000FF), ref: 01001927

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 1fe746244ab481732cb78edc130a925beaacb107ba713200566c6f0ccbcc287c
Instruction ID: 55a0027b7669814cd1c96741612cb7e7f9a1a0a3dd5ed6c48cccf5beb83447b2
Opcode Fuzzy Hash: 1fe746244ab481732cb78edc130a925beaacb107ba713200566c6f0ccbcc287c
Instruction Fuzzy Hash: 8101217150025AEFEB23EF64D908AEE3BA8FB08311F044150F6A5D21C5CB79DB60CBA5

Function 01006666 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0100262A,?,00000000,75920440,?,?,0100262A), ref: 01006677
CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 01006687
CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 01006693
CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 010066A6
CharNextA.USER32(00000000,?,?,0100262A), ref: 010066AE

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Char$Prev$Nextlstrlen
String ID:
API String ID: 295585802-0
Opcode ID: 915a4317a53b45c8286c77a7661bcefff6abe53e7f04113f2cfc660fb61b7cd7
Instruction ID: e6858c63049694c3117230d93b982ded723c412c4e62408bc78f3259928df5ea
Opcode Fuzzy Hash: 915a4317a53b45c8286c77a7661bcefff6abe53e7f04113f2cfc660fb61b7cd7
Instruction Fuzzy Hash: E8F0D1B2900284BFF7228B69CC88F5F7FEDDB893A4F140095E58193182C77A99108B75

Function 010032FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E6F
Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E8F
Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,SeetrolClient,0000007F,?,00000000), ref: 01002E96

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 0100331B
LoadResource.KERNEL32(00000000,00000000), ref: 01003324
LockResource.KERNEL32(00000000), ref: 0100332B

Strings

CABINET, xrefs: 01003306, 0100330B, 01003313

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$Find$LoadLock$Sizeof
String ID: CABINET
API String ID: 1933721802-1940454314
Opcode ID: 1692d02a55cbc160416827321246fe4b7eec14d249b88bc8613a2a7260353126
Instruction ID: cc1630d2f2e1415729ed085009dd32ef9f31af51343d2801e4429469f1343b9d
Opcode Fuzzy Hash: 1692d02a55cbc160416827321246fe4b7eec14d249b88bc8613a2a7260353126
Instruction Fuzzy Hash: 89E08675B417506BF33267B16C1DF873E5C9B05711F040015F386DA1C4C6F98400C751

Function 01002C91 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 01002CB7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CC9
DispatchMessageA.USER32(?), ref: 01002CDE
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CEC

Memory Dump Source

Source File: 00000000.00000002.2109196404.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2109178075.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109215525.000000000100B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109233445.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: ecb5dbb63d15ec62f86b3f7d67ae0d9b5a0ddad4c8e295c16c05b27f8062ba49
Instruction ID: 39c073168b69b8e79244012e034678836bc036e0dc16367505055d994280760c
Opcode Fuzzy Hash: ecb5dbb63d15ec62f86b3f7d67ae0d9b5a0ddad4c8e295c16c05b27f8062ba49
Instruction Fuzzy Hash: 2301447290011DBAAF318BDA9D48DEF7AFCEAC5754F14016AFA51E2084D535D905C770

Analysis Process: ClientRun.exePID: 6348, Parent PID: 1436COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1941
Total number of Limit Nodes:	43

Executed Functions

Function 004012C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 121
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004012F7
GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00401306
OpenProcessToken.ADVAPI32(00000000), ref: 0040130D
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0040132B

Part of subcall function 00401210: AdjustTokenPrivileges.KERNELBASE ref: 00401254
Part of subcall function 00401210: GetLastError.KERNEL32 ref: 0040125C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401353
Process32First.KERNEL32 ref: 00401375
CloseHandle.KERNEL32(00000000), ref: 0040140A

Part of subcall function 00402420: _vswprintf_s.LIBCMT ref: 00402430

Part of subcall function 00402635: __mbscmp_l.LIBCMT ref: 00402642

OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,00000002,00000000), ref: 004013CB
GetLastError.KERNEL32 ref: 004013CF
TerminateProcess.KERNEL32(00000000,000000FF), ref: 004013DC
CloseHandle.KERNEL32(00000000), ref: 004013DF
Sleep.KERNEL32(0000001E), ref: 004013E7
OutputDebugStringA.KERNEL32(OpenProcess error!), ref: 004013F0
Process32Next.KERNEL32(00000000,?), ref: 00401400
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00401420
CloseHandle.KERNEL32(?), ref: 0040143D

Strings

OpenProcess error!, xrefs: 004013EB
SeDebugPrivilege, xrefs: 00401324, 00401419

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Process$CloseHandle$ErrorLastLookupOpenPrivilegeProcess32TokenValue$AdjustCreateCurrentDebugFirstNextOutputPrivilegesSleepSnapshotStringTerminateToolhelp32__mbscmp_l_memset_vswprintf_s
String ID: OpenProcess error!$SeDebugPrivilege
API String ID: 452378514-667512243
Opcode ID: 0ca01549809936c8253b7c52e603413ef219861963680fac9df06a37a8f38b4e
Instruction ID: d4958c49afac6762f55e9f3812206ecd92222d5cc79ab0b0d1449fda2785c6e1
Opcode Fuzzy Hash: 0ca01549809936c8253b7c52e603413ef219861963680fac9df06a37a8f38b4e
Instruction Fuzzy Hash: EA418671504301ABE320EF61DD45F9B77A8EF88744F40453DFA44B62E1EB78D90987AA

Function 004015E0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401616
_memset.LIBCMT ref: 0040162D
_memset.LIBCMT ref: 0040164A
_memset.LIBCMT ref: 00401672
_strcpy_s.LIBCMT ref: 004016A3
_strcat_s.LIBCMT ref: 0040170B
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401720
__splitpath_s.LIBCMT ref: 00401751
wsprintfA.USER32 ref: 0040178F

Strings

%s%s, xrefs: 0040186A
%s%s%s, xrefs: 00401789
\*.*, xrefs: 004016BE, 004016F9

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: _memset$FileFindFirst__splitpath_s_strcat_s_strcpy_swsprintf
String ID: %s%s$%s%s%s$\*.*
API String ID: 1615918616-2213651524
Opcode ID: 53ef900acb3582af2d59c1611b5a8f7a756b074e4ad2f9319cbb8de3bf699e40
Instruction ID: bf4688d3b79e943c9c4efb2a69081389564a54ee37d9649cd03d80648d3ed269
Opcode Fuzzy Hash: 53ef900acb3582af2d59c1611b5a8f7a756b074e4ad2f9319cbb8de3bf699e40
Instruction Fuzzy Hash: 6C71E5B21082845BC320DF308C94EE777EE9B95304F48497EE5C9E72D2E67A964CC75A

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 00401031
Process32First.KERNEL32(00000000,?), ref: 0040104F
Process32Next.KERNEL32(00000000,?), ref: 0040106C
NetWkstaGetInfo.NETAPI32 ref: 00401088
CloseHandle.KERNEL32(00000000,00000002,00000000,?), ref: 004010DF

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleInfoNextSnapshotToolhelp32Wksta
String ID:
API String ID: 646870783-0
Opcode ID: d59cd686dc0adb8c6d30d8fb3347b9f572092a2e8fa3f3acac2a9a27884b438f
Instruction ID: da378a6a8dc152377679e5cb061f5fe3f072139295d189273eb0752e1d1654df
Opcode Fuzzy Hash: d59cd686dc0adb8c6d30d8fb3347b9f572092a2e8fa3f3acac2a9a27884b438f
Instruction Fuzzy Hash: 9D2183312042409BD320DF29CD89BABB7D4AB85354F44453BF994F36E1EB78DA448B9B

Function 00401C10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00401C1A

Part of subcall function 00401000: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 00401031
Part of subcall function 00401000: Process32First.KERNEL32(00000000,?), ref: 0040104F
Part of subcall function 00401000: Process32Next.KERNEL32(00000000,?), ref: 0040106C
Part of subcall function 00401000: CloseHandle.KERNEL32(00000000,00000002,00000000,?), ref: 004010DF

Part of subcall function 00401100: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 0040112D
Part of subcall function 00401100: Process32First.KERNEL32(00000000,?), ref: 0040114B
Part of subcall function 00401100: Process32Next.KERNEL32(00000000,?), ref: 00401164
Part of subcall function 00401100: CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000,?), ref: 004011E3

DialogBoxParamA.USER32(?,00000067,00000000,00401C90,00000000), ref: 00401C73

Strings

file, xrefs: 00401C4E
file.exe, xrefs: 00401C2E, 00401C49

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32$CurrentDialogParamProcess
String ID: file$file.exe
API String ID: 523815800-1409625349
Opcode ID: 030b883de7780e0d0da374cf8cda4f7675dc2de988fff021b0f3aad272e55803
Instruction ID: 0d8aa2d6dc27e7d7fa6db6e400fbc690c38be284ed158aa6adfd440497888628
Opcode Fuzzy Hash: 030b883de7780e0d0da374cf8cda4f7675dc2de988fff021b0f3aad272e55803
Instruction Fuzzy Hash: 03F02832B8821467D7219A699C0EBA737888F057D6F140136F586FB2D2DAB99A0442DC

Function 00401210 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 00401254
GetLastError.KERNEL32 ref: 0040125C
AdjustTokenPrivileges.KERNELBASE(?,00000000,000000FD,?,00000000,00000000), ref: 004012A3
GetLastError.KERNEL32 ref: 004012A5

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: AdjustErrorLastPrivilegesToken
String ID:
API String ID: 3328184475-0
Opcode ID: 64fb2463d23bc75ad511cb8fa2ca0bec40972248eb3f86ce4d4381213764b66d
Instruction ID: 901a600a454b3df01444a459f56ea93f62ceb6b3056074cb2164e2f372c7df3e
Opcode Fuzzy Hash: 64fb2463d23bc75ad511cb8fa2ca0bec40972248eb3f86ce4d4381213764b66d
Instruction Fuzzy Hash: CB118C71108301AFD310CF55DC81B6BB7E4EB88B10F108D2DF699A72D0E3B5E9098B96

Function 004023B0 Relevance: 4.5, APIs: 3, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004023D0
FindFirstFileA.KERNEL32(?), ref: 004023DD
FindClose.KERNEL32(00000000), ref: 00402400

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Find$CloseFileFirst_memset
String ID:
API String ID: 3141757445-0
Opcode ID: e97d5178abfb9634de5e2e6a32b0bb7f8dd009f89fa4a5cd239c9e75942a865f
Instruction ID: c6ce181f14bde60b6be507946645cd5a620ac6385a2ef7405638421a8d7f2f07
Opcode Fuzzy Hash: e97d5178abfb9634de5e2e6a32b0bb7f8dd009f89fa4a5cd239c9e75942a865f
Instruction Fuzzy Hash: 0DF082B09012005BD764E734EE0ABFA33D4AB59310F80093DB95DD61E1EA78550896DB

Function 00401C90 Relevance: 123.0, APIs: 40, Strings: 30, Instructions: 477
sleepfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KillTimer.USER32 ref: 00401D01
Sleep.KERNEL32(00000064), ref: 00401D24
IsUserAnAdmin.SHELL32 ref: 00401D51
SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?), ref: 00401D6D
SHGetPathFromIDList.SHELL32(?,?), ref: 00401D80
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 00401D93
_strcat_s.LIBCMT ref: 00401DAB
_strcat_s.LIBCMT ref: 00401DC5
CreateDirectoryA.KERNEL32(?,00000000), ref: 00401E03
Sleep.KERNEL32(0000001E), ref: 00401E07
CreateDirectoryA.KERNEL32(?,00000000), ref: 00401E17
CopyFileA.KERNEL32(Seetrol_Clt.exe,?,00000000), ref: 00401E60
CopyFileA.KERNEL32(SeetrolClient.exe,?,00000000), ref: 00401E87
SetTimer.USER32(?,000003E9,0000012C,00000000), ref: 004022AA
BeginPaint.USER32(?,?), ref: 004022BD
SetBkMode.GDI32(00000000,00000001), ref: 004022C8
TextOutA.GDI32(00000000,0000000F,0000000A,Starting SeetrolClient.....,0000001B), ref: 004022DA
EndPaint.USER32(?,?), ref: 004022E6

Strings

%s\client, xrefs: 00401DD5
%s\mdph.tmp, xrefs: 00401F98
%s\SeetrolClient.exe, xrefs: 00401E6A, 0040220D
sthooks.dll, xrefs: 00401ED0
%s\STUpdate.exe, xrefs: 00401F2D
STClientChat.exe.bak, xrefs: 00402248
sas.dll, xrefs: 00401EF7
client, xrefs: 0040206A
STUpdate.exe, xrefs: 00401F45
Starting SeetrolClient....., xrefs: 004022D0
seetrolget.exe, xrefs: 00401F6C
file, xrefs: 00402047, 0040206F, 00402169
seetrol, xrefs: 00401DB3
Open, xrefs: 00402271
%s\seetrolget.exe, xrefs: 00401F54
SeetrolMyService.exe, xrefs: 00401F1E
%s\Seetrol_Clt.exe, xrefs: 00401E3D
%s\Prefetch, xrefs: 00402198
%s\sas.dll, xrefs: 00401EDF
%s\sthooks.dll, xrefs: 00401EB8
STClientChat.exe, xrefs: 00401D44, 00401EA9, 00402238, 00402247
%s\SeetrolMyService.exe, xrefs: 00401F06
%s\SeetrolClient.cfg, xrefs: 004020A9
Seetrol_Clt.exe.bak, xrefs: 0040225F
%s\dtph.tmp, xrefs: 00401FFF
SeetrolClient.exe, xrefs: 00401D2A, 00401E82, 00402221, 00402230, 0040226C
SeetrolClient.exe.bak, xrefs: 00402231
Seetrol_Clt.exe, xrefs: 00401D37, 00401E5B, 0040224F, 0040225E
wtc, xrefs: 00401FAD, 00402014
%s\STClientChat.exe, xrefs: 00401E91

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Directory$CopyCreateFilePaintSleepTimer_strcat_s$AdminBeginFolderFromKillListLocationModePathSpecialSystemTextUser
String ID: %s\Prefetch$%s\STClientChat.exe$%s\STUpdate.exe$%s\SeetrolClient.cfg$%s\SeetrolClient.exe$%s\SeetrolMyService.exe$%s\Seetrol_Clt.exe$%s\client$%s\dtph.tmp$%s\mdph.tmp$%s\sas.dll$%s\seetrolget.exe$%s\sthooks.dll$Open$STClientChat.exe$STClientChat.exe.bak$STUpdate.exe$SeetrolClient.exe$SeetrolClient.exe.bak$SeetrolMyService.exe$Seetrol_Clt.exe$Seetrol_Clt.exe.bak$Starting SeetrolClient.....$client$file$sas.dll$seetrol$seetrolget.exe$sthooks.dll$wtc
API String ID: 2798409053-2707314946
Opcode ID: 1edd5be6367a4fad1e9e02d97212359edce47dcbf903d9bf4323e7d70c1964e8
Instruction ID: b72ad92d85b1f3e13b30a5770ce7271916f8ce5a44cb3b6e8ed2c86bfe12b5c9
Opcode Fuzzy Hash: 1edd5be6367a4fad1e9e02d97212359edce47dcbf903d9bf4323e7d70c1964e8
Instruction Fuzzy Hash: 14F1FAB15443446BD230EB60DD46FEF73A8AF84704F04453EFA44A61D1E6F99A48CBAB

Function 004019C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004019CC
_memset.LIBCMT ref: 00401AA3

Strings

file, xrefs: 00401A94
1111, xrefs: 004019FF
s!@, xrefs: 004019D5
1111, xrefs: 004019EF
file, xrefs: 00401A0F

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: _memset
String ID: 1111$1111$file$file$s!@
API String ID: 2102423945-526318284
Opcode ID: d00b4f09586317763c3219b5e5e127c536b25abf59be34e46b561a7eed3277c1
Instruction ID: 0fe358026f30662d1b4735509b1db18f6dc9fe2614f0306b5df226188b01ed00
Opcode Fuzzy Hash: d00b4f09586317763c3219b5e5e127c536b25abf59be34e46b561a7eed3277c1
Instruction Fuzzy Hash: 4631B4706093405BD325DF28D912BD73BE0AB55701F00843EE499AB3E3E678A6448BDE

Function 00401767 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0040178F
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00401841
FindClose.KERNEL32(00000000), ref: 00401850
wsprintfA.USER32 ref: 00401870
RemoveDirectoryA.KERNEL32(?), ref: 00401898

Strings

%s%s, xrefs: 0040186A
%s%s%s, xrefs: 00401789

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Findwsprintf$CloseDirectoryFileNextRemove
String ID: %s%s$%s%s%s
API String ID: 4213453681-1506711308
Opcode ID: 1b483ae0c23d2a5400ebe48f80066a80e637e0742a6f460a78d25d3059619421
Instruction ID: d2654d8594571d74bfbad24e7586f3d4fd716ead37a0c87d94dcf00f2a010f95
Opcode Fuzzy Hash: 1b483ae0c23d2a5400ebe48f80066a80e637e0742a6f460a78d25d3059619421
Instruction Fuzzy Hash: F83107731082845AC731DF2088D4BF77BEA9B95304F48887FD1C6972A2E63A964DC356

Function 00401460 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00401D0C), ref: 0040146A
OpenServiceA.ADVAPI32(00000000,SeetrolMyService,000F01FF), ref: 00401485
CloseServiceHandle.ADVAPI32(00000000), ref: 00401498

Strings

SeetrolMyService, xrefs: 0040147F

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: OpenService$CloseHandleManager
String ID: SeetrolMyService
API String ID: 4136619037-3785928781
Opcode ID: 6fdd0ebc66a4a9b949edbd21f4d3a20d8689e3e44370ab8dcafa5490333107bf
Instruction ID: 0b329c62e4d04f26288101d250ebf53306fdd3919dcdbbafdaeeca3a5d12ba73
Opcode Fuzzy Hash: 6fdd0ebc66a4a9b949edbd21f4d3a20d8689e3e44370ab8dcafa5490333107bf
Instruction Fuzzy Hash: FCE09B367452252AE731271E7C84FEB2349EFC4776F014033F608E7291C5648C4550B8

Function 00402310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00402322
GetWindowRect.USER32(?,?), ref: 00402342
GetWindowPlacement.USER32 ref: 0040236A
SetWindowPlacement.USER32(?,?), ref: 004023A2

Strings

,, xrefs: 00402362

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Window$Placement$InfoParametersRectSystem
String ID: ,
API String ID: 1998982410-3772416878
Opcode ID: 99e1a7f1a5463dadbcdcab00a1dc38ed987f941ebbd22734b1f14063d94df596
Instruction ID: 3ff703a376426f271fa6c57a14c0fcbebf1616f6a4b8e2e169b282056182463d
Opcode Fuzzy Hash: 99e1a7f1a5463dadbcdcab00a1dc38ed987f941ebbd22734b1f14063d94df596
Instruction Fuzzy Hash: 51112E752083059FD300DF68CE48A5FBBE9FBC8B50F044A2DF98493390D674E9098B92

Function 00419170 Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b77bb2c2991b32cc9ce95208b9ee4dd213ad32aedad5e4d84c358ff967a3d6
Instruction ID: 025c434de0945be56a65ef9952d47bcfcdaa4d9649a43905ea4fbbc67eb8e039
Opcode Fuzzy Hash: 60b77bb2c2991b32cc9ce95208b9ee4dd213ad32aedad5e4d84c358ff967a3d6
Instruction Fuzzy Hash: D2514B71A442536BE7218DB88CA46E177A4EB42334B180B7EC9E1C73C5E7BC5CC68758

Function 00401100 Relevance: 7.6, APIs: 5, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 0040112D
Process32First.KERNEL32(00000000,?), ref: 0040114B
Process32Next.KERNEL32(00000000,?), ref: 00401164
NetWkstaGetInfo.NETAPI32 ref: 00401180
CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000,?), ref: 004011E3

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleInfoNextSnapshotToolhelp32Wksta
String ID:
API String ID: 646870783-0
Opcode ID: de699426ad9734a6690700ef0e6c0f17866d61213e87be0f30fb484a9221fa2a
Instruction ID: bfb2accdbdb3f749c3c2bcf858c719efc0cdd2fab84842acd308e000074cd511
Opcode Fuzzy Hash: de699426ad9734a6690700ef0e6c0f17866d61213e87be0f30fb484a9221fa2a
Instruction Fuzzy Hash: D921D6712043005BD314EF29D995BAB73D8AB4C344F40453BEA54EB2E1DB78DA04879E

Function 00402C90 Relevance: 3.0, APIs: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404597: __getptd_noexit.LIBCMT ref: 00404597

Part of subcall function 0040452F: __decode_pointer.LIBCMT ref: 0040453A

__lock_file.LIBCMT ref: 00402CE0

Part of subcall function 004047D7: __lock.LIBCMT ref: 004047FC

__fclose_nolock.LIBCMT ref: 00402CEA

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 717694121-0
Opcode ID: fe45494423c5b6fac7b33939756971b1d040150405771e31025abc4a38dd4872
Instruction ID: 7c6e22fb0b9355e4e060505ab6c47efa051fb55c93e6032ff4341ff64a5eb9d4
Opcode Fuzzy Hash: fe45494423c5b6fac7b33939756971b1d040150405771e31025abc4a38dd4872
Instruction Fuzzy Hash: 9DF0FCB18086049AD711BB6A9D0665F7BE06FC5338F21822FE1357B1D1C77C4942AB5D

Function 0040821D Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00408225

Part of subcall function 004081F2: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040822A,00000002,?,0040CDA2,000000FF,0000001E,?,00409640,00000002,00000001,00000002,?,00409586,00000018), ref: 004081FC
Part of subcall function 004081F2: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040820C

ExitProcess.KERNEL32 ref: 0040822E

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 43b721939462e39aa10a3ee42a7fcb2b1c7253977e11ff21d5c998c00922130e
Instruction ID: 308c22131763ad94d468f1beec1b0fd731be682465155da82bbfc7343b5f590a
Opcode Fuzzy Hash: 43b721939462e39aa10a3ee42a7fcb2b1c7253977e11ff21d5c998c00922130e
Instruction Fuzzy Hash: ABB09231000108FBCB113F5ADD0E8493F2AEF807A0B108039F8081D172DF72AD92AA88

Function 004074D3 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

__flsbuf.LIBCMT ref: 004074F4

Part of subcall function 004054B2: __fileno.LIBCMT ref: 004054BD

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __fileno__flsbuf
String ID:
API String ID: 3539722517-0
Opcode ID: 8275345d4b79c8cc917bfd6a3157283eaa6c4f7870463f4dcb53f9cdb00a738d
Instruction ID: 7cce7d01fd49c19aa78f7a56a374c284df4aa12dbb7f90c71c5ef7a08c88ed18
Opcode Fuzzy Hash: 8275345d4b79c8cc917bfd6a3157283eaa6c4f7870463f4dcb53f9cdb00a738d
Instruction Fuzzy Hash: 82E09A30808550AEDB254E24D4452727BA0EB02729B3486AFD691981E3D63EA887EA1A

Function 00408D2B Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00408D40

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7335f33acce38d2f18b46277c0f6b4c8e664faf51778acbf106187c80d9c3ccd
Instruction ID: d27d0b71e1c1b702e19ed1e9f933516e2b8d738d460afe590b9754c77b3e824c
Opcode Fuzzy Hash: 7335f33acce38d2f18b46277c0f6b4c8e664faf51778acbf106187c80d9c3ccd
Instruction Fuzzy Hash: 6DD05E766503499EDF109FB1AC087623BDCD7843A6F00C436B80CDA190F974DA40DA48

Function 00408439 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00408445

Part of subcall function 0040830D: __lock.LIBCMT ref: 0040831B
Part of subcall function 0040830D: __decode_pointer.LIBCMT ref: 00408352
Part of subcall function 0040830D: __decode_pointer.LIBCMT ref: 00408367
Part of subcall function 0040830D: __decode_pointer.LIBCMT ref: 00408391
Part of subcall function 0040830D: __decode_pointer.LIBCMT ref: 004083A7
Part of subcall function 0040830D: __decode_pointer.LIBCMT ref: 004083B4
Part of subcall function 0040830D: __initterm.LIBCMT ref: 004083E3
Part of subcall function 0040830D: __initterm.LIBCMT ref: 004083F3

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0aac5c3431abba7e0df8918da4a1c7458da82481b9c42b1694cadd8d4b870a5
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 12B0927258020833DA202582AC03F063E8987C0B64E250065BA0C291E1A9B3B9618489

Function 0040290F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 0040291C

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
Instruction ID: 3171664c52b2e2befb2a791988dba741f7b61ba06918710689b9ed6f8c45ca30
Opcode Fuzzy Hash: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
Instruction Fuzzy Hash: 32C09B7744010C77CF112943DC06E453F1997C0764F058021FB1C291B19577D5619589

Non-executed Functions

Function 004014C0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 48servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004014CD
OpenServiceA.ADVAPI32(00000000,SeetrolMyService,000F01FF,?), ref: 004014E5
GetLastError.KERNEL32 ref: 004014F1
CloseServiceHandle.ADVAPI32(00000000), ref: 004014F8
QueryServiceStatus.ADVAPI32(00000000,?), ref: 0040150A
ControlService.ADVAPI32(00000000,00000001,?), ref: 0040151F
Sleep.KERNEL32(000003E8), ref: 0040152A
DeleteService.ADVAPI32(00000000), ref: 00401531
CloseServiceHandle.ADVAPI32(00000000), ref: 0040153E
CloseServiceHandle.ADVAPI32(00000000), ref: 00401541

Strings

SeetrolMyService, xrefs: 004014DF

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Service$CloseHandle$Open$ControlDeleteErrorLastManagerQuerySleepStatus
String ID: SeetrolMyService
API String ID: 688388674-3785928781
Opcode ID: 5a6334354cd2e4ee20727358863cf3e123d8e03b1a7cda5f568199f64174e4f0
Instruction ID: eb5d84592b1be6de9c48c1a3416425f0bba420a94faa5467356ecdf6b838cff0
Opcode Fuzzy Hash: 5a6334354cd2e4ee20727358863cf3e123d8e03b1a7cda5f568199f64174e4f0
Instruction Fuzzy Hash: 4101F236240210BBC3322B58ED0DFEF7A28EFC4712F404039FB05B19A2DB7445098A7A

Function 00402478 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040337F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00403394
UnhandledExceptionFilter.KERNEL32(0040F23C), ref: 0040339F
GetCurrentProcess.KERNEL32(C0000409), ref: 004033BB
TerminateProcess.KERNEL32(00000000), ref: 004033C2

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6f6941f7a4c5c1a9ace265cfe737be847a74821c1145822aff8e3ff27cec9a43
Instruction ID: cbef0fd008b42f4f149740814d0a535c69295d4f5b5924c44812bcc7103d907e
Opcode Fuzzy Hash: 6f6941f7a4c5c1a9ace265cfe737be847a74821c1145822aff8e3ff27cec9a43
Instruction Fuzzy Hash: 6621C2B4400204EBD710DF69EA456847FE4BB1C306F10C13AEA49A72A6E7B49B85CF5D

Function 00403F39 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004108F8,0000000C,00404074,00000000,00000000,?,00403032,00000002,?,00000000,00000000,?,75920630,00402435,?), ref: 00403F4B
__crt_waiting_on_module_handle.LIBCMT ref: 00403F56

Part of subcall function 00408199: Sleep.KERNEL32(000003E8,00000000,?,00403E9C,KERNEL32.DLL,?,00403EE8,?,00403032,00000002,?,00000000,00000000,?,75920630,00402435), ref: 004081A5
Part of subcall function 00408199: GetModuleHandleW.KERNEL32(00000002,?,00403E9C,KERNEL32.DLL,?,00403EE8,?,00403032,00000002,?,00000000,00000000,?,75920630,00402435,?), ref: 004081AE

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00403F7F
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00403F8F
__lock.LIBCMT ref: 00403FB1
InterlockedIncrement.KERNEL32(?), ref: 00403FBE
__lock.LIBCMT ref: 00403FD2
___addlocaleref.LIBCMT ref: 00403FF0

Strings

DecodePointer, xrefs: 00403F87
@%A, xrefs: 00403FE5
KERNEL32.DLL, xrefs: 00403F45, 00403F4A, 00403F55
EncodePointer, xrefs: 00403F73

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: @%A$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-137922019
Opcode ID: d4c90a82147c84032342a36bb417c9323b8b02ac63447233a67e4f62aafdb964
Instruction ID: 66a516918a745eb83b8ef8a2b1b51b64515f4f72e2f251b38c2c35829d65ec29
Opcode Fuzzy Hash: d4c90a82147c84032342a36bb417c9323b8b02ac63447233a67e4f62aafdb964
Instruction Fuzzy Hash: 0011A5719447019ED720AF3AD801B4ABBE4AF44318F10853FE599B76E1CBB89A44DF5C

Function 00401550 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 48servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 0040155D
OpenServiceA.ADVAPI32(00000000,SeetrolClientService,000F01FF,?), ref: 00401575
GetLastError.KERNEL32 ref: 00401581
CloseServiceHandle.ADVAPI32(00000000), ref: 00401588
QueryServiceStatus.ADVAPI32(00000000,?), ref: 0040159A
ControlService.ADVAPI32(00000000,00000001,?), ref: 004015AF
Sleep.KERNEL32(000003E8), ref: 004015BA
DeleteService.ADVAPI32(00000000), ref: 004015C1
CloseServiceHandle.ADVAPI32(00000000), ref: 004015CE
CloseServiceHandle.ADVAPI32(00000000), ref: 004015D1

Strings

SeetrolClientService, xrefs: 0040156F

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Service$CloseHandle$Open$ControlDeleteErrorLastManagerQuerySleepStatus
String ID: SeetrolClientService
API String ID: 688388674-3794700016
Opcode ID: 9bc60a5c61a2e8153e130a6cee17e054e2c51d0a8bc321275180b48bff44cfac
Instruction ID: 650e2125f7bfac84e2454b4363194f0dc7cfb7258a19d047616c86f9489ca35c
Opcode Fuzzy Hash: 9bc60a5c61a2e8153e130a6cee17e054e2c51d0a8bc321275180b48bff44cfac
Instruction Fuzzy Hash: 3C01F236200600BBC3312B589D0DFEF3A68EFC4712F404039FA05B19A2DB7445098B7A

Function 00403D5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00403D68

Part of subcall function 00404099: __getptd_noexit.LIBCMT ref: 0040409C
Part of subcall function 00404099: __amsg_exit.LIBCMT ref: 004040A9

__getptd.LIBCMT ref: 00403D7F
__amsg_exit.LIBCMT ref: 00403D8D
__lock.LIBCMT ref: 00403D9D

Strings

@%A, xrefs: 00403DAA

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @%A
API String ID: 3521780317-1727264051
Opcode ID: f1c0fc0cb3cbbfd346ff246f7243bd79882fc0a32568b9f9630e6006e23e8dae
Instruction ID: 1ef2423037911ee9194615e66ecc3f2dc4d0527a800a6bfc40357e3ed5750494
Opcode Fuzzy Hash: f1c0fc0cb3cbbfd346ff246f7243bd79882fc0a32568b9f9630e6006e23e8dae
Instruction Fuzzy Hash: 7EF0C271510300DAD720FFB6A40674A37945F40719F11413FA641B72D2CB7C5A018B9D

Function 004035F0 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004035FC

Part of subcall function 00404099: __getptd_noexit.LIBCMT ref: 0040409C
Part of subcall function 00404099: __amsg_exit.LIBCMT ref: 004040A9

__amsg_exit.LIBCMT ref: 0040361C
__lock.LIBCMT ref: 0040362C
InterlockedDecrement.KERNEL32(?), ref: 00403649
InterlockedIncrement.KERNEL32(021216A0), ref: 00403674

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 0401224fca5b37cba738e0a6dafc47d7f1ec829ce6b14d919de5d3cabc9b43d8
Instruction ID: 331908f7edd725da73763b2796810d179942895fa4a1d835ac3b5f5937236250
Opcode Fuzzy Hash: 0401224fca5b37cba738e0a6dafc47d7f1ec829ce6b14d919de5d3cabc9b43d8
Instruction Fuzzy Hash: 5101CE31901621ABD730AF699A1178A7B68AB00711F05883BE800B73C1CB7D6E41CBED

Function 00406195 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004061B3

Part of subcall function 004095FC: __mtinitlocknum.LIBCMT ref: 00409612
Part of subcall function 004095FC: __amsg_exit.LIBCMT ref: 0040961E
Part of subcall function 004095FC: RtlEnterCriticalSection.NTDLL(?), ref: 00409626

___sbh_find_block.LIBCMT ref: 004061BE
___sbh_free_block.LIBCMT ref: 004061CD
HeapFree.KERNEL32(00000000,00000002,004109D0,0000000C,004095DD,00000000,00410A50,0000000C,00409617,00000002,?,?,0040CEED,00000004,00410C18,0000000C), ref: 004061FD
GetLastError.KERNEL32(?,0040CEED,00000004,00410C18,0000000C,0040968A,00000002,?,00000000,00000000,00000000,?,0040404B,00000001,00000214), ref: 0040620E

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 442de3c945e424b36cb443c0e68cc3abcf5daafda858074fce83fef8e2f37b36
Instruction ID: cc5e238aa6ac32d459c10e9b1dd1d33ee9a6f5aca5aa6bad5228cb1ae067b078
Opcode Fuzzy Hash: 442de3c945e424b36cb443c0e68cc3abcf5daafda858074fce83fef8e2f37b36
Instruction Fuzzy Hash: 1F018471905201EADF207FB29C05B5E36A49F51328F11453FF501BA2D2DE3C89509F9D

Function 00404706 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00404728
__calloc_crt.LIBCMT ref: 00404741

Strings

>A, xrefs: 00404758
*A, xrefs: 0040476D

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __calloc_crt
String ID: *A$ >A
API String ID: 3494438863-3329664441
Opcode ID: 49badf9233450e48196fc12992e50d4ae4eb3c403ed38ef7ccd5f3e8e7495a15
Instruction ID: 25b81fbb4920db63870b0328c643b08bc950d55ec7ad246868aaa9d79a82b290
Opcode Fuzzy Hash: 49badf9233450e48196fc12992e50d4ae4eb3c403ed38ef7ccd5f3e8e7495a15
Instruction Fuzzy Hash: 8D11CAB170531057E7249F2D7D40AE26796ABC6764B14813BE715EB3E0E7BCCC81464C

Function 00403D1E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 00403D30

Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(00000002), ref: 00403C08
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C15
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C22
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C2F
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C3C
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C58
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C68
Part of subcall function 00403BF6: InterlockedIncrement.KERNEL32(?), ref: 00403C7E

___removelocaleref.LIBCMT ref: 00403D3B

Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(0040B3EB), ref: 00403C9F
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(7F0F6620), ref: 00403CAC
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(6640666F), ref: 00403CB9
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(0F66305F), ref: 00403CC6
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(766F0F66), ref: 00403CD3
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(766F0F66), ref: 00403CEF
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(FFF00025), ref: 00403CFF
Part of subcall function 00403C85: InterlockedDecrement.KERNEL32(777F0EB2), ref: 00403D15

___freetlocinfo.LIBCMT ref: 00403D4F

Part of subcall function 00403AAD: ___free_lconv_mon.LIBCMT ref: 00403AF3
Part of subcall function 00403AAD: ___free_lconv_num.LIBCMT ref: 00403B14
Part of subcall function 00403AAD: ___free_lc_time.LIBCMT ref: 00403B99

Strings

@%A, xrefs: 00403D46

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @%A
API String ID: 467427115-1727264051
Opcode ID: aa1a27a1ffa009765d3d7ad504f0c5e46baf30dff543407c53d9df91eb64829e
Instruction ID: fa662cd0f61badbe240cc64862085805d99c03f89d8a083b0c02ab5aa60423df
Opcode Fuzzy Hash: aa1a27a1ffa009765d3d7ad504f0c5e46baf30dff543407c53d9df91eb64829e
Instruction Fuzzy Hash: 8AE09A3660182145CB323E1964007ABABAE0F82313F29023BF950B62E8EB3C8E80409C

Function 00402A35 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00402AF9
__fileno.LIBCMT ref: 00402B19
__locking.LIBCMT ref: 00402B20
__flsbuf.LIBCMT ref: 00402B4B

Part of subcall function 00404597: __getptd_noexit.LIBCMT ref: 00404597

Part of subcall function 0040452F: __decode_pointer.LIBCMT ref: 0040453A

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: fda0a6d33679b741036bd8e4d1b3e0058b7cf85c4ed099c881a86042e8d8a7bd
Instruction ID: e54eca69626e6126a72dcddf24d5b9fd0220d63a2a6b34d199e2fc8224af3d03
Opcode Fuzzy Hash: fda0a6d33679b741036bd8e4d1b3e0058b7cf85c4ed099c881a86042e8d8a7bd
Instruction Fuzzy Hash: A341B431A00A059BDF249F658A4855FB7B5EF80360B24853BE455B62C0DBB8EE41CF48

Function 0040B2A7 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B2DB
__isleadbyte_l.LIBCMT ref: 0040B30F
MultiByteToWideChar.KERNEL32(00000080,00000009,00402F73,?,00000000,00000000,?,?,?,?,00402F73,00000000,?), ref: 0040B340
MultiByteToWideChar.KERNEL32(00000080,00000009,00402F73,00000001,00000000,00000000,?,?,?,?,00402F73,00000000,?), ref: 0040B3AE

Memory Dump Source

Source File: 00000001.00000002.2099493437.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2099056763.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000412000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099493437.0000000000418000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2099981918.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2100115696.000000000041A000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ClientRun.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 53d588c4948adaaa9145cb849d5c1a41700637a3e8862d4e62a2ec3b39c9f4ec
Instruction ID: 1902bbebda954d0ad5fe98076ccee705b5502a98921783f298db84ddae5af900
Opcode Fuzzy Hash: 53d588c4948adaaa9145cb849d5c1a41700637a3e8862d4e62a2ec3b39c9f4ec
Instruction Fuzzy Hash: EA31A231510286EFDB21DFA4C884DAE7BA5EF01311B2445BEE850AB2D1D734DD40DB9D

Analysis Process: SeetrolClient.exePID: 5776, Parent PID: 6348COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 0044BFE0 Relevance: 159.7, APIs: 66, Strings: 24, Instructions: 2154windowtimesleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 0044C063
SetCurrentDirectoryA.KERNEL32(?,?,?), ref: 0044C0F6
Sleep.KERNEL32(00000064), ref: 0044C12E
SetThreadExecutionState.KERNEL32(00000001), ref: 0044C14B
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0044C1D8
AppendMenuW.USER32(?,00000000,00000010,00000010), ref: 0044C1E3
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0044C1F2
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0044C201
DeleteFileW.KERNEL32(comlogo.gif,00000000), ref: 0044C232
DeleteFileW.KERNEL32(comlogo.jpg), ref: 0044C239
DeleteFileW.KERNEL32(comlogo.swf), ref: 0044C240
SendMessageW.USER32(?,00000080,00000001,?), ref: 0044C263
SendMessageW.USER32(?,00000080,00000001,?), ref: 0044C28B
SendMessageW.USER32(?,00000080,00000000,?), ref: 0044C29F
Sleep.KERNEL32(0000001E,00000001,00000000), ref: 0044C2B7
SendMessageW.USER32 ref: 0044C341
SendMessageW.USER32(?,0000014A,00000000,?), ref: 0044C36D
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0044C392
SetTimer.USER32(?,00000474,000493E0,00000000), ref: 0044C3A3
LoadImageA.USER32(00000000,?,00000000,00000000,00000000,00002050), ref: 0044C3DF
LoadImageW.USER32(?,00000086,00000000,00000000,00000000,00002000), ref: 0044C414
GetClientRect.USER32(?,?), ref: 0044C42C
GetWindowRect.USER32(?,?), ref: 0044C51A
GetWindowRect.USER32(?,?), ref: 0044C530
SetRect.USER32(?,00000000,?,0000004B,?), ref: 0044C69C
SetRect.USER32(?,0000004E,?,000001FE,?), ref: 0044C6B7

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

RtlInitializeCriticalSection.NTDLL(?), ref: 0044C73B
ShellExecuteW.SHELL32(00000000,Open,ipconfig.exe,?,00000000,00000000), ref: 0044C2F9

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

SetTimer.USER32(?,00000471,000001F4,00000000), ref: 0044CCA9
SetTimer.USER32(?,00000477,0000012C,00000000), ref: 0044CEE6
SetTimer.USER32(?,00000478,00001B58,00000000), ref: 0044CEFC
SetTimer.USER32(?,00000471,0000001E,00000000), ref: 0044D0B6
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044D267
KillTimer.USER32(?,00000475), ref: 0044D276
SetTimer.USER32(?,00000475,0000001E,00000000), ref: 0044D299
Sleep.KERNEL32(0000001E,00000439,?,?,?), ref: 0044D370
Sleep.KERNEL32(0000001E,00000001), ref: 0044D38C
Sleep.KERNEL32(0000000A), ref: 0044D39B
SetTimer.USER32(?,0000046C,00000BB8,00000000), ref: 0044D3C0
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0044D3F1
SendMessageW.USER32(?,0000043B,00000000,00000000), ref: 0044D8B1
SendMessageW.USER32(?,00000445,00000000,00000000), ref: 0044D8C7
GetSystemMetrics.USER32(00000043), ref: 0044C82D

Part of subcall function 0040E040: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,75A85540,?,?), ref: 0040E0C1
Part of subcall function 0040E040: _memset.LIBCMT ref: 0040E0EC
Part of subcall function 0040E040: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,000000FF,00404094,?,?), ref: 0040E0FC

Part of subcall function 004676D1: SetDlgItemTextW.USER32(?,?,00000000), ref: 004676E5

GetSystemMenu.USER32(?,00000000), ref: 0044C15D

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

LoadIconW.USER32(?,000000C0), ref: 0044DA21
SetTimer.USER32(?,00000473,0000EA60,00000000), ref: 0044DA6D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044DA7F
FindWindowExW.USER32(00000000), ref: 0044DA86
GetWindowRect.USER32(00000000,?), ref: 0044DA94
SendMessageW.USER32(?,00000443,00000000,00EDF5F5), ref: 0044DB04
SetTimer.USER32(?,0000046B,00002EE0,00000000), ref: 0044DB43

Strings

#, xrefs: 0044D792
AUTO, xrefs: 0044CC3E, 0044D050
comlogo.swf, xrefs: 0044C23B
ipconfig.exe, xrefs: 0044C2ED
_latestcon_.txt, xrefs: 0044D7D0
TrayNotifyWnd, xrefs: 0044DA71
SeetrolClient.exe, xrefs: 0044D3FC, 0044D7E5
It's past 180 minutes.............., xrefs: 0044D7C3
Seetrol Client - Logoff, xrefs: 0044DA00
Cur Minutes = %d, Start Minutes = %d, xrefs: 0044D78C
Knowhow, xrefs: 0044D212
Seetrol_Clt.exe, xrefs: 0044C748
Knowhowauto, xrefs: 0044D424
AUTOSTART, xrefs: 0044CC7D, 0044D066, 0044D091
comlogo.gif, xrefs: 0044C22D
Open, xrefs: 0044C2F2
', xrefs: 0044D9C8
comlogo.jpg, xrefs: 0044C234
Seetrol Client, xrefs: 0044C491, 0044C4F5
Auxiliary, xrefs: 0044D1CF
192.168.0.229, xrefs: 0044D468
Shell_TrayWnd, xrefs: 0044DA7A
%, xrefs: 0044D924
- Logoff, xrefs: 0044D9AC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$Timer$RectWindow$MenuSleep$AppendFile$DeleteFindLoad$ByteCharImageMultiSystemWide$ClientCriticalCurrentDirectoryExecuteExecutionIconInitializeItemKillMetricsModuleNameResourceSectionShellShowStateTextThread_memcpy_s_memset
String ID: - Logoff$#$%$'$192.168.0.229$AUTO$AUTOSTART$Auxiliary$Cur Minutes = %d, Start Minutes = %d$It's past 180 minutes..............$Knowhow$Knowhowauto$Open$Seetrol Client$Seetrol Client - Logoff$SeetrolClient.exe$Seetrol_Clt.exe$Shell_TrayWnd$TrayNotifyWnd$_latestcon_.txt$comlogo.gif$comlogo.jpg$comlogo.swf$ipconfig.exe
API String ID: 1592279622-827888976
Opcode ID: 80118a98d29ad6aa6ca32b05486fe8fa7090168b7125710e23bce922633bd970
Instruction ID: 0317414238df8f95ee1d8e6fe15dea10adc9106b7f96a5cbc49268b2b4661c0f
Opcode Fuzzy Hash: 80118a98d29ad6aa6ca32b05486fe8fa7090168b7125710e23bce922633bd970
Instruction Fuzzy Hash: 8803F3702007419FE314EB38CC86FAB73E5AF94714F044A1EF55A9B2D1DB78A905CB5A

Function 0043E5D0 Relevance: 130.1, APIs: 39, Strings: 35, Instructions: 581
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 0043E60C

Part of subcall function 0043CB00: _sprintf.LIBCMT ref: 0043CB43
Part of subcall function 0043CB00: DeleteFileA.KERNEL32(00000000), ref: 0043CB62
Part of subcall function 0043CB00: Sleep.KERNEL32(0000001E), ref: 0043CB6A
Part of subcall function 0043CB00: _sprintf.LIBCMT ref: 0043CB85
Part of subcall function 0043CB00: DeleteUrlCacheEntry.WININET(?), ref: 0043CB95
Part of subcall function 0043CB00: URLDownloadToFileA.URLMON(00000000,?,00000000,00000000,00000000), ref: 0043CBAE

_sprintf.LIBCMT ref: 0043E62D
DeleteFileA.KERNEL32(?), ref: 0043E650
Sleep.KERNEL32(0000001E), ref: 0043E658
_sprintf.LIBCMT ref: 0043E673

Part of subcall function 004ABC43: __output_l.LIBCMT ref: 004ABC98

DeleteUrlCacheEntry.WININET(?), ref: 0043E683
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0043E698
_sprintf.LIBCMT ref: 0043E6F5
DeleteUrlCacheEntry.WININET(?), ref: 0043E705
_sprintf.LIBCMT ref: 0043E777
DeleteUrlCacheEntry.WININET(?), ref: 0043E787
_sprintf.LIBCMT ref: 0043E7E4
DeleteUrlCacheEntry.WININET(?), ref: 0043E7F4
_sprintf.LIBCMT ref: 0043E85D
_sprintf.LIBCMT ref: 0043EA85
DeleteUrlCacheEntry.WININET(?), ref: 0043EA95
CreateDirectoryA.KERNEL32(?,00000000), ref: 0043EACE
_sprintf.LIBCMT ref: 0043EB25
DeleteUrlCacheEntry.WININET(?), ref: 0043EB35
_sprintf.LIBCMT ref: 0043EBA5
DeleteUrlCacheEntry.WININET(?), ref: 0043EBB5
CreateDirectoryA.KERNEL32(?,00000000), ref: 0043EBFA
_sprintf.LIBCMT ref: 0043EC5B
DeleteUrlCacheEntry.WININET(?), ref: 0043EC6B
_sprintf.LIBCMT ref: 0043ECE5
DeleteUrlCacheEntry.WININET(?), ref: 0043ECF5
CreateDirectoryA.KERNEL32(?,00000000), ref: 0043ED39
_sprintf.LIBCMT ref: 0043ED9A
DeleteUrlCacheEntry.WININET(?), ref: 0043EDAA
_sprintf.LIBCMT ref: 0043EE24
DeleteUrlCacheEntry.WININET(?), ref: 0043EE34
DeleteUrlCacheEntry.WININET(?), ref: 0043EA15

Part of subcall function 0043BF40: InternetReadFile.WININET(00000000,?,00002000,?), ref: 0043BFCC
Part of subcall function 0043BF40: WriteFile.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0043BFFE
Part of subcall function 0043BF40: InternetReadFile.WININET(00000000,?,00002000,?), ref: 0043C010
Part of subcall function 0043BF40: CloseHandle.KERNEL32(00000000), ref: 0043C018
Part of subcall function 0043BF40: InternetCloseHandle.WININET(00000000), ref: 0043C01F

DeleteUrlCacheEntry.WININET(?), ref: 0043E86D

Part of subcall function 0043BF40: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 0043BF79
Part of subcall function 0043BF40: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0043BF85
Part of subcall function 0043BF40: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0043BF9D

CreateDirectoryA.KERNEL32(?,00000000), ref: 0043E8AD
_sprintf.LIBCMT ref: 0043E904
DeleteUrlCacheEntry.WININET(?), ref: 0043E914
_sprintf.LIBCMT ref: 0043E985
DeleteUrlCacheEntry.WININET(?), ref: 0043E995
_sprintf.LIBCMT ref: 0043EA05

Strings

%s/MirrInst64.exe, xrefs: 0043E771
%s/068/dfmirage.cat, xrefs: 0043E8FE
068\dfmirage.sys, xrefs: 0043EA36
105\x64\dfmirage.sys, xrefs: 0043EC86
%s/068/dfmirage.inf, xrefs: 0043E9FF
Install.cmd, xrefs: 0043E7A2
%s/105/x86/dfmirage.sys, xrefs: 0043EE1E
068\dfmirage.dll, xrefs: 0043E92F
%s/105/x64/dfmirage.sys, xrefs: 0043ECDF
%s/105/dfmirage.cat, xrefs: 0043EB1F
068\dfmirage.inf, xrefs: 0043E9BC
105\x86\dfmirage.dll, xrefs: 0043ED3B
Uninstall.cmd, xrefs: 0043E814
%s/NetScan.exe, xrefs: 0043E66D
SeetrolClient, xrefs: 0043E714, 0043E796, 0043E803, 0043E87C, 0043E923, 0043E9A4, 0043EA24, 0043EAA4, 0043EB44, 0043EBC4, 0043EC7A, 0043ED04, 0043EDB9, 0043EE43
%s/Uninstall.txt, xrefs: 0043E857
105, xrefs: 0043EAB7
MirrInst32.exe, xrefs: 0043E69D
105\dfmirage.inf, xrefs: 0043EB56
%s/105/dfmirage.inf, xrefs: 0043EB9F
068\dfmirage.cat, xrefs: 0043E8B5
http://www.seetrol.com/update3, xrefs: 0043E5EE
%s/068/dfmirage.sys, xrefs: 0043EA7F
%s/105/x64/dfmirage.dll, xrefs: 0043EC55
MirrInst64.exe, xrefs: 0043E72C
%s/Install.txt, xrefs: 0043E7DE
105\x86, xrefs: 0043ED10
105\x64, xrefs: 0043EBD0
%s/068/dfmirage.dll, xrefs: 0043E97F
105\x64\dfmirage.dll, xrefs: 0043EBFC
%s/MirrInst32.exe, xrefs: 0043E6EF
105\x86\dfmirage.sys, xrefs: 0043EDC5
%s\NetScan.exe, xrefs: 0043E627
%s/105/x86/dfmirage.dll, xrefs: 0043ED94
105\dfmirage.cat, xrefs: 0043EADC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Delete_sprintf$CacheEntry$File$CreateDirectoryInternet$CloseDownloadHandleOpenReadSleep$SystemWrite__output_l
String ID: %s/068/dfmirage.cat$%s/068/dfmirage.dll$%s/068/dfmirage.inf$%s/068/dfmirage.sys$%s/105/dfmirage.cat$%s/105/dfmirage.inf$%s/105/x64/dfmirage.dll$%s/105/x64/dfmirage.sys$%s/105/x86/dfmirage.dll$%s/105/x86/dfmirage.sys$%s/Install.txt$%s/MirrInst32.exe$%s/MirrInst64.exe$%s/NetScan.exe$%s/Uninstall.txt$%s\NetScan.exe$068\dfmirage.cat$068\dfmirage.dll$068\dfmirage.inf$068\dfmirage.sys$105$105\dfmirage.cat$105\dfmirage.inf$105\x64$105\x64\dfmirage.dll$105\x64\dfmirage.sys$105\x86$105\x86\dfmirage.dll$105\x86\dfmirage.sys$Install.cmd$MirrInst32.exe$MirrInst64.exe$SeetrolClient$Uninstall.cmd$http://www.seetrol.com/update3
API String ID: 1373949524-11142194
Opcode ID: 2c1c6b85b178184ac76484066e0d3ec32ff0bacae7837c3d864f315e861e51a1
Instruction ID: 4cbee8d6a2b8acfce4258737dc4a436cc8b1b15d380b8e733cfff0969da4ea5d
Opcode Fuzzy Hash: 2c1c6b85b178184ac76484066e0d3ec32ff0bacae7837c3d864f315e861e51a1
Instruction Fuzzy Hash: 95323EB55043459BC314DF65D891AAFBBE8FBD9304F009E2EB59983281E774960CCF92

Function 0043B0F0 Relevance: 28.6, APIs: 10, Strings: 6, Instructions: 624
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 0043B4BC
__wcsdup.LIBCMT ref: 0043B619
CreateMutexW.KERNEL32(00000000,00000001,Global\_KHClient_AUX_2345_5432_,?,00000000), ref: 0043B683
GetLastError.KERNEL32(?,00000000), ref: 0043B693
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0043B6B7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0043B6CB
SetErrorMode.KERNEL32(00000002), ref: 0043B6D3
CreateMutexW.KERNEL32(00000000,00000001,Global\_KHClient_APP_2345_5432_,?,?,?,?), ref: 0043B8AB
GetLastError.KERNEL32 ref: 0043B8B7
CloseHandle.KERNEL32(00000000), ref: 0043B8C9

Strings

invisible, xrefs: 0043B87A
3Qo, xrefs: 0043B425
Auxiliary, xrefs: 0043B660
Knowhow, xrefs: 0043B6A0
Global\_KHClient_AUX_2345_5432_, xrefs: 0043B67A
Global\_KHClient_APP_2345_5432_, xrefs: 0043B8A2

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseErrorHandle$CreateLastMutex$FileModeModuleName__wcsdup_memcpy_s
String ID: Auxiliary$Global\_KHClient_APP_2345_5432_$Global\_KHClient_AUX_2345_5432_$Knowhow$invisible$3Qo
API String ID: 1074556920-80422520
Opcode ID: 5067a9b8d7be3bb3aa88a6aa6945ad14a73d7af5a965499da49079b30cb3394b
Instruction ID: 445dd894240f09615fc4f4e337ef2a246d79ed885e456f48e289398e9383599e
Opcode Fuzzy Hash: 5067a9b8d7be3bb3aa88a6aa6945ad14a73d7af5a965499da49079b30cb3394b
Instruction Fuzzy Hash: 8632D3702047418FD314DF28C885B9BB7E5FF99328F148A1EF299872D2DB74A905CB96

Function 00441940 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 228
pipefilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

CreateNamedPipeW.KERNEL32(?,00000003,00000004,000000FF,00001000,00000000,00000001,00000000,?,?), ref: 00441A4F
DisconnectNamedPipe.KERNEL32(00000000,?,?), ref: 00441A65
ConnectNamedPipe.KERNEL32(00000000,00000000,?,?), ref: 00441A6E
GetLastError.KERNEL32(?,?), ref: 00441A78
ReadFile.KERNEL32(00000000,?,0000012C,?,00000000,?,?), ref: 00441AA0
PostMessageW.USER32(00000000,00002F7D,?,?), ref: 00441B9D
CloseHandle.KERNEL32(00000000,?,?), ref: 00441BB5
__endthread.LIBCMT ref: 00441BBB

Strings

%s_%d, xrefs: 00441A1D
\\.\pipe\SeetrolClientMyRevPipeMY, xrefs: 00441A14

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateDisconnectErrorFileHandleLastMessagePostRead__endthread_memcpy_s
String ID: %s_%d$\\.\pipe\SeetrolClientMyRevPipeMY
API String ID: 2326044955-2092783509
Opcode ID: fbe986a1293e06ee87d1425da3cc30a29a2cfa82c25baffa01e7c0bf633fc141
Instruction ID: db30f9be0e4a18419dfce5ab423cfdb0926a2e8025586e8c3a2dd7c2eb615f7e
Opcode Fuzzy Hash: fbe986a1293e06ee87d1425da3cc30a29a2cfa82c25baffa01e7c0bf633fc141
Instruction Fuzzy Hash: 5D7128702043819FE724DB28CC55BAFB7E9EF85304F00451EF5859B2E1EB78A9448B9A

Function 004429A0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 299
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsIconic.USER32(?), ref: 004429E1
SendMessageW.USER32(?,00000027,?,00000000), ref: 00442A0C
GetSystemMetrics.USER32(0000000B), ref: 00442A1A
GetSystemMetrics.USER32(0000000C), ref: 00442A20
GetClientRect.USER32(?,?), ref: 00442A2D
DrawIcon.USER32(?,?,?,?), ref: 00442A64

Part of subcall function 0046C3E0: __EH_prolog3.LIBCMT ref: 0046C3E7
Part of subcall function 0046C3E0: EndPaint.USER32(?,?,00000004,0041DE57), ref: 0046C402

SetRect.USER32(?,00000071,0000000A,00000085,0000001E), ref: 00442AE4
GetClientRect.USER32(?,?), ref: 00442B5D

Part of subcall function 0046C38C: __EH_prolog3.LIBCMT ref: 0046C393
Part of subcall function 0046C38C: BeginPaint.USER32(?,?,00000004,0041DDE4,?,9F5E49E1), ref: 0046C3BF

Strings

Chat, xrefs: 00442B71

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$ClientH_prolog3MetricsPaintSystem$BeginDrawIconIconicMessageSend
String ID: Chat
API String ID: 289320641-3316604308
Opcode ID: abd983eb2c319afd021a7ededb4b16b8f15a9e44d03ac3cce5695e996736f569
Instruction ID: 2cc6d9dab297fa7e1fd5bd05576c8c3821afb6972e61cf369a9ed4020b1771f4
Opcode Fuzzy Hash: abd983eb2c319afd021a7ededb4b16b8f15a9e44d03ac3cce5695e996736f569
Instruction Fuzzy Hash: E4C16BB16043019FD324DF28C846F5BB7E5AF88714F048A1DF5998B3A1DB74E804CB96

Function 0043A5C0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 193
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_sprintf.LIBCMT ref: 0043A645
FindFirstFileA.KERNEL32(?,?), ref: 0043A65A
_sprintf.LIBCMT ref: 0043A739
FindNextFileA.KERNEL32(?,?), ref: 0043A812

Strings

%s%s, xrefs: 0043A72C
%sClientLogo_*.bmp, xrefs: 0043A621
\, xrefs: 0043A70E
%s\ClientLogo_*.bmp, xrefs: 0043A638
%s\%s, xrefs: 0043A733

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileFind_sprintf$FirstNext
String ID: %s%s$%sClientLogo_*.bmp$%s\%s$%s\ClientLogo_*.bmp$\
API String ID: 3396133536-1565633294
Opcode ID: f14a864cd104821d36551dc4d5a14f9dba02975b219f368b4dd305ecb5f69374
Instruction ID: f4b12796575df54f7c616672dc5afd154fcbdfd9141a1411446040b5d925501a
Opcode Fuzzy Hash: f14a864cd104821d36551dc4d5a14f9dba02975b219f368b4dd305ecb5f69374
Instruction Fuzzy Hash: A56135311483819FC720CB24C895BEBBBE5AFDA318F48495ED4D58B381E739C9198787

Function 00441C20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 236comCOMMON

Download Yara Rule

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

CoInitialize.OLE32(00000000), ref: 00441CD7
CoCreateInstance.COMBASE(005064B8,00000000,00000017,005064C8,?), ref: 00441CEF
OutputDebugStringW.KERNEL32(?,?), ref: 00441E82
CoTaskMemFree.COMBASE(?), ref: 00441E8D
PropVariantClear.OLE32(?), ref: 00441EA4
CoUninitialize.COMBASE ref: 00441EC2

Strings

HHHHHHHH audio format ... sample rate = %d, xrefs: 00441E6F
A, xrefs: 00441D90

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ClearCreateDebugFreeInitializeInstanceOutputPropStringTaskUninitializeVariant_memcpy_s
String ID: A$HHHHHHHH audio format ... sample rate = %d
API String ID: 581794384-3031787931
Opcode ID: 14154ad914f292fd911b05a4600ece8daae83feec1588fd96cd01ad8015543c1
Instruction ID: e89c9e02f3fbba304d4b27e4f3a90e8688831a5b1e725604d5bb5f30223eb2be
Opcode Fuzzy Hash: 14154ad914f292fd911b05a4600ece8daae83feec1588fd96cd01ad8015543c1
Instruction Fuzzy Hash: E79145B52047019FD314DF28C885A6BB7E9FFC8714F108A5EF4998B2A0E774E946CB52

Function 0043FE80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 394windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045D961: _memset.LIBCMT ref: 0045D97D

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 0042AEF0: GetSysColor.USER32 ref: 0042AFF1

Part of subcall function 00432340: SetRect.USER32 ref: 00432403
Part of subcall function 00432340: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043240E

Part of subcall function 0042C4A0: GetSysColor.USER32 ref: 0042C50C
Part of subcall function 0042C4A0: CreateSolidBrush.GDI32(?), ref: 0042C519

LoadIconW.USER32(?,00000080), ref: 004402CD
LoadIconW.USER32(?,000000D5), ref: 004402E8
LoadIconW.USER32(?,000000C0), ref: 00440303
LoadIconW.USER32(?,000000D6), ref: 0044031E

Strings

CNG, xrefs: 00440179
jF, xrefs: 00440299
#, xrefs: 004402AF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: IconLoad$ColorCreate$BrushEventRectSolid_memcpy_s_memset
String ID: #$CNG$jF
API String ID: 3254138144-3597147219
Opcode ID: 18c4e32008bfbbe44ddcddfb4a913e1e360b0047ad740e5c5baa8d0b97c9fa84
Instruction ID: 34aa58a7e3111096483d884ac1860ac6c09125636886d9e9e287741e1c243a6c
Opcode Fuzzy Hash: 18c4e32008bfbbe44ddcddfb4a913e1e360b0047ad740e5c5baa8d0b97c9fa84
Instruction Fuzzy Hash: C002AA702047818FD310EF7AC49579BBBD4AF58304F40893EE5AAC7292DB78A5498F66

Function 0043C450 Relevance: 51.1, APIs: 21, Strings: 8, Instructions: 312
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(HHHHH Win7 IsUacEnabled : RegCreateKeyEx failed.), ref: 0043C4D7
RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0043C703
RegQueryValueExW.KERNEL32(?,EnableLUA,00000000,00000000,?,?), ref: 0043C731
RegQueryValueExW.KERNEL32(?,ConsentPromptBehaviorAdmin,00000000,00000000,?,?), ref: 0043C74D
RegQueryValueExW.KERNEL32(?,PromptOnSecureDesktop,00000000,00000000,?,?), ref: 0043C769
RegQueryValueExW.KERNEL32(?,EnableUIADesktopToggle,00000000,00000000,?,?), ref: 0043C785
RegQueryValueExW.KERNEL32(?,EnableInstallerDetection,00000000,00000000,?,?), ref: 0043C7A1
RegQueryValueExW.KERNEL32(?,EnableSecureUIAPaths,00000000,00000000,?,?), ref: 0043C7BD
RegCloseKey.KERNEL32(?,?,?), ref: 0043C7C4

Strings

EnableInstallerDetection, xrefs: 0043C5A6, 0043C6A5, 0043C79B
EnableSecureUIAPaths, xrefs: 0043C5C2, 0043C6C1, 0043C7B7
PromptOnSecureDesktop, xrefs: 0043C56E, 0043C66D, 0043C763
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0043C4BA, 0043C506, 0043C603, 0043C6F9
EnableUIADesktopToggle, xrefs: 0043C58A, 0043C689, 0043C77F
ConsentPromptBehaviorAdmin, xrefs: 0043C552, 0043C651, 0043C747
HHHHH Win7 IsUacEnabled : RegCreateKeyEx failed., xrefs: 0043C4D2
EnableLUA, xrefs: 0043C536, 0043C635, 0043C72B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: QueryValue$CloseCreateDebugOutputString
String ID: ConsentPromptBehaviorAdmin$EnableInstallerDetection$EnableLUA$EnableSecureUIAPaths$EnableUIADesktopToggle$HHHHH Win7 IsUacEnabled : RegCreateKeyEx failed.$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 1003081562-3560766347
Opcode ID: cd16d465e02090b09ddb000ec65f2540a9f2300487d41248a3fc0bc56e62668c
Instruction ID: ee2d2ba43dbd39f393537660436a49686c505c79c5f93db15364f38fccc35690
Opcode Fuzzy Hash: cd16d465e02090b09ddb000ec65f2540a9f2300487d41248a3fc0bc56e62668c
Instruction Fuzzy Hash: 9EA12D71284306BBE324DA64CC86FAFB3ACEBD4B14F148D1EF655A61C0D6B4B5088B65

Function 00460F76 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 175
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00460FA5
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00460FC8
GetWindowRect.USER32(?,?), ref: 00460FE2
CopyRect.USER32(?,?), ref: 00461045
CopyRect.USER32(?,?), ref: 0046104F
GetWindowRect.USER32(00000000,?), ref: 00461058

Part of subcall function 0045E632: MonitorFromWindow.USER32(00000002,00000000), ref: 0045E649

Part of subcall function 0045E69F: GetMonitorInfoW.USER32(00000002,00000000), ref: 0045E6B9
Part of subcall function 0045E69F: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 0045E6DF

CopyRect.USER32(?,?), ref: 00461074

Strings

Q&F, xrefs: 00460F8D, 004610E1, 00461103
(, xrefs: 0046100E
Q&F, xrefs: 00461126

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$CopyWindow$Monitor$ByteCharFromInfoMessageMultiParentSendWide
String ID: ($Q&F$Q&F
API String ID: 304066576-1069017623
Opcode ID: 0a401bbdd688b2639fd6305e410f676393aadeae325880392625090292527a50
Instruction ID: 87878aa998c042e41a9711c61e6242d2433cb3fb59b29dc5a38e2edeb01682fe
Opcode Fuzzy Hash: 0a401bbdd688b2639fd6305e410f676393aadeae325880392625090292527a50
Instruction Fuzzy Hash: 9951B371A00219AFDF14CBA8CD85AEEBBB9AF48310F194116F905F3290EB34ED458B55

Function 0047ACCF Relevance: 21.1, APIs: 14, Instructions: 99
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0047ACEF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 0047AD0D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0047AD17
CloseHandle.KERNEL32(?), ref: 0047AD65
CloseHandle.KERNEL32(?), ref: 0047AD6A

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

ResumeThread.KERNEL32(00000000), ref: 0047AD6F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047AD7A
CloseHandle.KERNEL32(?), ref: 0047AD89
Wow64SuspendThread.KERNEL32(?), ref: 0047AD94
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047ADA4
CloseHandle.KERNEL32(?), ref: 0047ADAD
SetEvent.KERNEL32(00000004), ref: 0047ADB7
CloseHandle.KERNEL32(?), ref: 0047ADCF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrowWow64_memset
String ID:
API String ID: 3629294776-0
Opcode ID: 008de6ca277f1a7eefcf4b563d599c1b2096d8406d84073bcbf63674443ab882
Instruction ID: 4c6708a76e866dd9bc2260e86887ac0707046d6ab0c7865a7f26ce90587b507d
Opcode Fuzzy Hash: 008de6ca277f1a7eefcf4b563d599c1b2096d8406d84073bcbf63674443ab882
Instruction Fuzzy Hash: CA31AF72C00209BFCF21AFA0DC848AFBBBAFF44315F10812AF519A2560D7349915EF55

Function 004461B0 Relevance: 19.8, APIs: 13, Instructions: 313
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__endthread.LIBCMT ref: 004461FA

Part of subcall function 004AFC69: __IsNonwritableInCurrentImage.LIBCMT ref: 004AFC78
Part of subcall function 004AFC69: __getptd_noexit.LIBCMT ref: 004AFC88
Part of subcall function 004AFC69: CloseHandle.KERNEL32(?,?,004AFCD3), ref: 004AFC9C
Part of subcall function 004AFC69: __freeptd.LIBCMT ref: 004AFCA3
Part of subcall function 004AFC69: RtlExitUserThread.NTDLL(00000000,?,004AFCD3), ref: 004AFCAB
Part of subcall function 004AFC69: __getptd.LIBCMT ref: 004AFCBE
Part of subcall function 004AFC69: __endthread.LIBCMT ref: 004AFCCE
Part of subcall function 004AFC69: __XcptFilter.LIBCMT ref: 004AFCDF

Sleep.KERNEL32(0000001E), ref: 00446222
RtlEnterCriticalSection.NTDLL(?), ref: 004462D8
RtlLeaveCriticalSection.NTDLL(?), ref: 004462F4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection__endthread$CloseCurrentEnterExitFilterHandleImageLeaveNonwritableSleepThreadUserXcpt__freeptd__getptd__getptd_noexit
String ID:
API String ID: 3729766840-0
Opcode ID: ce8705681aa5f88bf05afb1d4c20e828a5090f28a7650f6352b054749ffcbd40
Instruction ID: e9884ce950862766f1176c0ac5ec95c0a6dd9ce4e97cc5eb434447a09c20a6eb
Opcode Fuzzy Hash: ce8705681aa5f88bf05afb1d4c20e828a5090f28a7650f6352b054749ffcbd40
Instruction Fuzzy Hash: 83C10371600205DBEB14EF24C988BAA77B1FF4A314F15457AEC099F382C778A940CB9A

Function 00442880 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004428F8
__time64.LIBCMT ref: 004428FC
_rand.LIBCMT ref: 0044291C
Sleep.KERNEL32(0000001E), ref: 0044292D
GetTickCount.KERNEL32 ref: 00442933

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

_rand.LIBCMT ref: 0044295B

Part of subcall function 004ABC21: __getptd.LIBCMT ref: 004ABC21

Sleep.KERNEL32(0000001E), ref: 0044296C
GetTickCount.KERNEL32 ref: 00442972

Strings

%05d, xrefs: 00442954
%04d, xrefs: 0044297A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CountTick$Sleep_rand$__getptd__time64_memcpy_s
String ID: %04d$%05d
API String ID: 3844507776-197335197
Opcode ID: 227cb7b05508d27fd5eff039702531d4bfddcc645b0b4d5307818ae1e5dbea38
Instruction ID: 99650fe9c0785ab40405d821e7274959d996d72bf4e4bdf287febc9a296810b5
Opcode Fuzzy Hash: 227cb7b05508d27fd5eff039702531d4bfddcc645b0b4d5307818ae1e5dbea38
Instruction Fuzzy Hash: 2621E9B17042429BE308EF25DC1AB1A7BD5EB84714F04053EF505D7391DBB898459AA9

Function 00483ADB Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0063B210), ref: 00483AEE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,0063B1F4,0063B1F4,?,00483F68,00000004,0046B18E,0045F8A5,004671B6,?,0045FEA4), ref: 00483B44
GlobalHandle.KERNEL32(010616D0), ref: 00483B4D
GlobalUnlock.KERNEL32(00000000), ref: 00483B57
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00483B70
GlobalHandle.KERNEL32(010616D0), ref: 00483B82
GlobalLock.KERNEL32(00000000), ref: 00483B89
RtlLeaveCriticalSection.NTDLL(?), ref: 00483B92
GlobalLock.KERNEL32(00000000), ref: 00483B9E
_memset.LIBCMT ref: 00483BB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00483BE6

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 59f33d636a11a33ad67fc265615e0bfcc4ce96b73dba288ec25a38ab4a49a647
Instruction ID: 8764f508fb3b6b1b92f2f43c0033412a90adc05252f22acec2e9e162bea5c284
Opcode Fuzzy Hash: 59f33d636a11a33ad67fc265615e0bfcc4ce96b73dba288ec25a38ab4a49a647
Instruction Fuzzy Hash: 26319CB1600704AFDB20AF65DC8DA5EBBF9FB44705B00492EE552D3252DB38F9498B54

Function 0040A300 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040A32E
_sprintf.LIBCMT ref: 0040A344
_memset.LIBCMT ref: 0040A375
_fseek.LIBCMT ref: 0040A422
__fread_nolock.LIBCMT ref: 0040A437
_memset.LIBCMT ref: 0040A4A1

Strings

SeetrolClient2.cfg, xrefs: 0040A485
%s\SeetrolClient2.cfg, xrefs: 0040A33E
1111, xrefs: 0040A3BD, 0040A3D4, 0040A3EC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset$__fread_nolock_fseek_sprintf
String ID: %s\SeetrolClient2.cfg$1111$SeetrolClient2.cfg
API String ID: 2707389052-960976159
Opcode ID: bb12dfc04a47e299e15959d11edb409c778a16c042d4e052ee80c085618c1343
Instruction ID: 8bdad292d561ac25b116b1b335b586015e1da7c63228d26c096bc99ec061c259
Opcode Fuzzy Hash: bb12dfc04a47e299e15959d11edb409c778a16c042d4e052ee80c085618c1343
Instruction Fuzzy Hash: FF41C2756042409BD724DF649882BEA77A4EF99300F04487EFE4C9F283E7B56544C7EA

Function 00452860 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

waveOutGetNumDevs.WINMM(?,?,004387FD,?,?,?,?,?), ref: 00452875
waveOutGetDevCapsW.WINMM(00000000,?,00000054,?,?,?,004387FD,?,?,?,?,?), ref: 00452887
CreateEventW.KERNEL32(00000000,00000000,00000000,WaveOutThreadEvent_Center,?,?,004387FD,?,?,?,?,?), ref: 0045289B
waveOutOpen.WINMM(?,00000000,?,?,00000000,00050000,?,?,?,00452730,?,0000000F,00000000,00000004,00000000), ref: 004528F4
_memset.LIBCMT ref: 00452935
waveOutPrepareHeader.WINMM(?,?), ref: 00452955
waveOutWrite.WINMM(?,?,00000020,?,?), ref: 0045296C
ResumeThread.KERNEL32(?,?,?,00000020,?,?), ref: 00452994

Strings

WaveOutThreadEvent_Center, xrefs: 0045288D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$CapsCreateDevsEventHeaderOpenPrepareResumeThreadWrite_memset
String ID: WaveOutThreadEvent_Center
API String ID: 1736050996-1491777938
Opcode ID: 8f56778adaa900acc8195b91e96ff6775c22e1866164911336eede4a6c606b83
Instruction ID: 6d75a431c4035def1884024c2f394567df97310e4675e7fb253301a84974205a
Opcode Fuzzy Hash: 8f56778adaa900acc8195b91e96ff6775c22e1866164911336eede4a6c606b83
Instruction Fuzzy Hash: 094137B1601300AFD720CF65CD88F9B7BA9FF59711F00892AE949CB246D774A848CBA5

Function 0043CB00 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_sprintf.LIBCMT ref: 0043CB43
DeleteFileA.KERNEL32(00000000), ref: 0043CB62
Sleep.KERNEL32(0000001E), ref: 0043CB6A
_sprintf.LIBCMT ref: 0043CB85

Part of subcall function 004ABC43: __output_l.LIBCMT ref: 004ABC98

DeleteUrlCacheEntry.WININET(?), ref: 0043CB95
URLDownloadToFileA.URLMON(00000000,?,00000000,00000000,00000000), ref: 0043CBAE

Strings

%s/SeetrolCenter.exe, xrefs: 0043CB7F
%s\SeetrolCenter.exe, xrefs: 0043CB3C
http://www.seetrol.com/update4, xrefs: 0043CB24

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DeleteFile_sprintf$CacheDownloadEntrySleep__output_l
String ID: %s/SeetrolCenter.exe$%s\SeetrolCenter.exe$http://www.seetrol.com/update4
API String ID: 1121109902-2027112358
Opcode ID: 5a2ebca452d504b7ecdc74d8420e4082e5a7e203874bd3f9091512907223488e
Instruction ID: 113c140703b9a1e2763a992199a9b4e00bd4365baaf0e267d46f99f035da43ba
Opcode Fuzzy Hash: 5a2ebca452d504b7ecdc74d8420e4082e5a7e203874bd3f9091512907223488e
Instruction Fuzzy Hash: DE1186B65043006BD724DB54DC96FAF77A8EF98304F00482DF5498A191E7B45608CB96

Function 0045E073 Relevance: 15.1, APIs: 10, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,?,00000005,00000024,0043B95A), ref: 0045E0AD
LoadResource.KERNEL32(?,00000000), ref: 0045E0B5

Part of subcall function 00461772: UnhookWindowsHookEx.USER32(?), ref: 004617A2

LockResource.KERNEL32(?,00000024,0043B95A), ref: 0045E0C6
GetDesktopWindow.USER32 ref: 0045E0F9
IsWindowEnabled.USER32(?), ref: 0045E107
EnableWindow.USER32(?,00000000), ref: 0045E116

Part of subcall function 004678D7: IsWindowEnabled.USER32(?), ref: 004678E0

Part of subcall function 004678F2: KiUserCallbackDispatcher.NTDLL(?,?), ref: 00467903

EnableWindow.USER32(?,00000001), ref: 0045E1FB
GetActiveWindow.USER32 ref: 0045E206
SetActiveWindow.USER32(?,?,00000024,0043B95A), ref: 0045E214
FreeResource.KERNEL32(?,?,00000024,0043B95A), ref: 0045E230

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$Resource$ActiveEnableEnabled$CallbackDesktopDispatcherFindFreeHookLoadLockUnhookUserWindows
String ID:
API String ID: 363064813-0
Opcode ID: f1658be9c93b4567d0de3db5ba684195d4f41083a8f146dc741ef71d91954f66
Instruction ID: 7785f7b07a05ee06f2e644d9cda3611f095727541ce5d94a14947dca32a803fa
Opcode Fuzzy Hash: f1658be9c93b4567d0de3db5ba684195d4f41083a8f146dc741ef71d91954f66
Instruction Fuzzy Hash: 37519230E007059BCF25AFA6C8496AEB7B1BF54706F14002FE902A6292DB794A45DF5A

Function 00410C9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32(?,?,00000200), ref: 00410CAE
CreateEventW.KERNEL32(?,00000001,?,?,?,?,00000200), ref: 00410CBC

Part of subcall function 0045D7D6: _malloc.LIBCMT ref: 0045D7F4

GetSystemDefaultLangID.KERNEL32 ref: 00410D91
_memset.LIBCMT ref: 00410E2C
_memset.LIBCMT ref: 00410E53

Part of subcall function 0040B470: RtlInitializeCriticalSection.NTDLL(?), ref: 0040B477
Part of subcall function 0040B470: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040B48E

Strings

0, xrefs: 00410CFA
2020.12.31, xrefs: 00410E09
@, xrefs: 00410CED

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Create_memset$AllocCriticalDefaultEventInitializeLangSectionSemaphoreSystemVirtual_malloc
String ID: 0$2020.12.31$@
API String ID: 1882462657-239992031
Opcode ID: 3fe1fd1dff4b9dfc9c2705282c88b08ca7c6dd87ed7a2c193e7729f6020faffd
Instruction ID: 711cb6851e82bdc3d501d8622438d01ca85f140a7712a0af10dc0a6dae9fa3f6
Opcode Fuzzy Hash: 3fe1fd1dff4b9dfc9c2705282c88b08ca7c6dd87ed7a2c193e7729f6020faffd
Instruction Fuzzy Hash: 6951A1B05047449BD720DF6AD8547DBF6E4EF91700F00892FE58A8B791D7F8A581CB4A

Function 0040A0C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A0E4
_sprintf.LIBCMT ref: 0040A0FA
_memset.LIBCMT ref: 0040A12B
_fseek.LIBCMT ref: 0040A1BD
__fread_nolock.LIBCMT ref: 0040A1CF

Strings

%s\SeetrolClient.cfg, xrefs: 0040A0F4
1111, xrefs: 0040A17E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset$__fread_nolock_fseek_sprintf
String ID: %s\SeetrolClient.cfg$1111
API String ID: 2707389052-2762681855
Opcode ID: cb3adb16fcbacfdee338ddd6b00cd124459727bcce69fae909b7a1a77e3be287
Instruction ID: 9e87b283f48926f2b943d027465263451f392ac1a8a633c0c633194cb7bf0c04
Opcode Fuzzy Hash: cb3adb16fcbacfdee338ddd6b00cd124459727bcce69fae909b7a1a77e3be287
Instruction Fuzzy Hash: 1431D5711407809AE331AB65CC42FDB7BE4AF95704F404C1EF5996B2C2DBF9614487D6

Function 0043CCB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 0043CCDB
RegCreateKeyExA.KERNEL32(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0043CD04
_sprintf.LIBCMT ref: 0043CD20

Part of subcall function 004ABC43: __output_l.LIBCMT ref: 004ABC98

RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?), ref: 0043CD4F

Strings

%s\SeetrolClient.exe, xrefs: 0043CCD5
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043CCFA
%s:*:Enabled:SeetrolClient, xrefs: 0043CD1A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$CreateValue__output_l
String ID: %s:*:Enabled:SeetrolClient$%s\SeetrolClient.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2221648232-2867794306
Opcode ID: 7c010b2b72ad6dbc2a3c1dbfef5a8ebb5a87f8a1644a0c4af11a0c5368950313
Instruction ID: fc6bd6095aad97b124ae810c4e3f6e25d01a5f65c7c215f60116d293fac0c1d4
Opcode Fuzzy Hash: 7c010b2b72ad6dbc2a3c1dbfef5a8ebb5a87f8a1644a0c4af11a0c5368950313
Instruction Fuzzy Hash: 7611ABB5144300ABD324DB50DC9AFEB77E8AF98700F10891DB595DB1C1EB74A508C7D6

Function 0043D7D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32 ref: 0043D7FC
OutputDebugStringW.KERNEL32(HHHHH SoftwareSASGeneration : RegCreateKeyEx failed.), ref: 0043D80B
RegSetValueExW.KERNEL32(?,SoftwareSASGeneration,00000000,00000004,?,00000004), ref: 0043D834
RegCloseKey.KERNEL32(?), ref: 0043D83F

Strings

HHHHH SoftwareSASGeneration : RegCreateKeyEx failed., xrefs: 0043D806
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0043D7EA
SoftwareSASGeneration, xrefs: 0043D826

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseCreateDebugOutputStringValue
String ID: HHHHH SoftwareSASGeneration : RegCreateKeyEx failed.$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$SoftwareSASGeneration
API String ID: 1966882412-2536315900
Opcode ID: 99c4262755944021761c850763c0e22a3e150f7e33ae3067fcd22c31e2b342b4
Instruction ID: 0bee85f2684b96ada6e2abdc601e4a3dac73ce5c8fe6c9f1c7f8b320e454d920
Opcode Fuzzy Hash: 99c4262755944021761c850763c0e22a3e150f7e33ae3067fcd22c31e2b342b4
Instruction Fuzzy Hash: 1CF0FFB5244300BBE310DB50DC4EF5E7BA4AB98F40F504818B749E91D1D7F5A54CD656

Function 0042A310 Relevance: 12.2, APIs: 8, Instructions: 201COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0042A36C
_memset.LIBCMT ref: 0042A39D
GetPixel.GDI32(?,00000000,?), ref: 0042A3EF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ObjectPixelSelect_memset
String ID:
API String ID: 2677173399-0
Opcode ID: 6ae0442bef336be030851e4fb823bdba808cf57a474c200a082c33a2774ac2c1
Instruction ID: 1ee1bd0fb5d4c90d37a7333060c8d7c72e394911fa3a93e0e21d1267867267b6
Opcode Fuzzy Hash: 6ae0442bef336be030851e4fb823bdba808cf57a474c200a082c33a2774ac2c1
Instruction Fuzzy Hash: 2A71BD716083049FD310DF29C888B1BBBE5EF85314F44892EF99583251E778E888CB56

Function 0043BF40 Relevance: 12.1, APIs: 8, Instructions: 89networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 0043BF79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0043BF85
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0043BF9D
InternetReadFile.WININET(00000000,?,00002000,?), ref: 0043BFCC
WriteFile.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0043BFFE
InternetReadFile.WININET(00000000,?,00002000,?), ref: 0043C010
CloseHandle.KERNEL32(00000000), ref: 0043C018
InternetCloseHandle.WININET(00000000), ref: 0043C01F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Internet$File$CloseHandleOpenRead$CreateWrite
String ID:
API String ID: 1404722126-0
Opcode ID: 3c34629c4e3ffb9a8602a0351aac93953f9127a6b66ea37b6dcf3473548749a1
Instruction ID: 0f3ad39d9b9c4239e3b1c38a2281e05e0cced24150fa27710c58aa65570430df
Opcode Fuzzy Hash: 3c34629c4e3ffb9a8602a0351aac93953f9127a6b66ea37b6dcf3473548749a1
Instruction Fuzzy Hash: 99219E71204304ABE320CB65CC89FABB7ACFB9A358F05090EF649D2181DA75A804DB76

Function 004AFD6A Relevance: 12.1, APIs: 8, Instructions: 74threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 004AFD9F
__calloc_crt.LIBCMT ref: 004AFDAB
__getptd.LIBCMT ref: 004AFDB8
__initptd.LIBCMT ref: 004AFDC1
CreateThread.KERNEL32(00000000,?,004AFCF3,00000000,00000004,00000000), ref: 004AFDDE
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 004AFDEE
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004AFDF9
__dosmaperr.LIBCMT ref: 004AFE11

Part of subcall function 004B0DAA: __getptd_noexit.LIBCMT ref: 004B0DAA

Part of subcall function 004AD613: __decode_pointer.LIBCMT ref: 004AD61E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 1359767662-0
Opcode ID: b008f31c1670ba24fe01fe05da10070a1557e63749c9d63d9d5e16f38a893b89
Instruction ID: 7a5b28a0171252b33dfc212e33759077b6ec4120b1c7ef34f908b78fcbd94e3f
Opcode Fuzzy Hash: b008f31c1670ba24fe01fe05da10070a1557e63749c9d63d9d5e16f38a893b89
Instruction Fuzzy Hash: 6B11E672501204AFC7206FF6AC8589FBB98EF62338B20012FF515932D2DB789905966D

Function 00438850 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?,?,?,?,?,00000000,?), ref: 004389F7

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

OutputDebugStringW.KERNEL32(?), ref: 00438A2A
RtlEnterCriticalSection.NTDLL(?), ref: 00438A67
RtlLeaveCriticalSection.NTDLL(?), ref: 00438A80

Strings

HHHHH nQueue count = %d, nTotalDecSize = %d, xrefs: 00438A18
HHHHHHHH , nEncSize[%d] = %d, nDecSize[%d] = %d, xrefs: 004389E5

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalDebugOutputSectionString$EnterLeave_memcpy_s
String ID: HHHHH nQueue count = %d, nTotalDecSize = %d$HHHHHHHH , nEncSize[%d] = %d, nDecSize[%d] = %d
API String ID: 884072402-4019626575
Opcode ID: 76fa8ab61d1ebb0aa1d78e5ccbe06f06a2c561c574f1f3ad77daab3f38972feb
Instruction ID: 03c2b7d0e03fa8dc5aa095d557721d3f114b8a1eda78654f022fd27bdc3c1159
Opcode Fuzzy Hash: 76fa8ab61d1ebb0aa1d78e5ccbe06f06a2c561c574f1f3ad77daab3f38972feb
Instruction Fuzzy Hash: 2581A0B16003099FCB14DF69C885AABB7A4FF58314F14862EFC199B381DB38E915CB95

Function 004ACAE7 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004ACB49
_memcpy_s.LIBCMT ref: 004ACBBE
__fileno.LIBCMT ref: 004ACC1E
__read.LIBCMT ref: 004ACC25
__filbuf.LIBCMT ref: 004ACC49
_memset.LIBCMT ref: 004ACC8F
_memset.LIBCMT ref: 004ACCBA

Part of subcall function 004B0DAA: __getptd_noexit.LIBCMT ref: 004B0DAA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 2c7b2b2109bddc153949e24054f98c97eacb04cc6b7c199fe95fda8bb8bb4b6c
Instruction ID: abd4479251ab6a21f53076fad4f07ccd83bd5fd677fab6d0174af182e9f1f346
Opcode Fuzzy Hash: 2c7b2b2109bddc153949e24054f98c97eacb04cc6b7c199fe95fda8bb8bb4b6c
Instruction Fuzzy Hash: 36511870900204EBCB608F69D8C559FBBB5EFA3330F14821BF42956291D739AE51DBA9

Function 00461136 Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00461169
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0046118D
UpdateWindow.USER32(?), ref: 004611A8
SendMessageW.USER32(?,00000121,00000000,?), ref: 004611C9
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 004611E1
UpdateWindow.USER32(?), ref: 00461224
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00461255

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Message$PeekSendUpdateWindow$Parent
String ID:
API String ID: 2799049384-0
Opcode ID: ff70b20668d73bc8d6f0bd55ac06502c0b35a6fc8f0b73e6b661baf0d1eb1299
Instruction ID: d252bd94f1bbcf6567c6af91e660d48863c3369ecacd0648b5d88a27e28415c8
Opcode Fuzzy Hash: ff70b20668d73bc8d6f0bd55ac06502c0b35a6fc8f0b73e6b661baf0d1eb1299
Instruction Fuzzy Hash: E741D470A00645EBDF219FA6CC48A9FBFB4FF85704F14815FE541A22A0EB398940DB56

Function 00451E00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00451E08
GetModuleHandleW.KERNEL32(USER32.DLL,00040000,00000080,00000000,On Control,0000000A), ref: 00451EBF
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 00451ECB

Strings

On Control, xrefs: 00451E56, 00451E89, 00451E9A
USER32.DLL, xrefs: 00451EBA
SetLayeredWindowAttributes, xrefs: 00451EC5

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AddressDefaultHandleLangModuleProcSystem
String ID: On Control$SetLayeredWindowAttributes$USER32.DLL
API String ID: 1818218665-1358959252
Opcode ID: 7561cc59aa2e0f07ae6abc68ddf2de59a26808122c13cb164592db5480608bff
Instruction ID: 61b223cb6839e083284eab4c8db451785b9d4833cb28378ac8a75344bb484194
Opcode Fuzzy Hash: 7561cc59aa2e0f07ae6abc68ddf2de59a26808122c13cb164592db5480608bff
Instruction Fuzzy Hash: 8721B53424060057DB30A624CC17F7B2695AB58702F90492FBFD3A7AE6D96CAC4A871D

Function 004AFB4A Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 004AFB7B
__calloc_crt.LIBCMT ref: 004AFB87
__getptd.LIBCMT ref: 004AFB94
__initptd.LIBCMT ref: 004AFB9D
CreateThread.KERNEL32(?,?,004AFAC7,00000000,?,?), ref: 004AFBCB
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004AFBD5
__dosmaperr.LIBCMT ref: 004AFBED

Part of subcall function 004B0DAA: __getptd_noexit.LIBCMT ref: 004B0DAA

Part of subcall function 004AD613: __decode_pointer.LIBCMT ref: 004AD61E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: 81cef30467e6a0a07c5b0f1a8d5cbf4890ff279f731a7d0060ccbef10e4cc62d
Instruction ID: d9315de2e068d6cb78f37359831834a60738b7a2f37862ed32ba0fc7f5f33e8b
Opcode Fuzzy Hash: 81cef30467e6a0a07c5b0f1a8d5cbf4890ff279f731a7d0060ccbef10e4cc62d
Instruction Fuzzy Hash: 1F11BF72501209AFCB10AFE5DC8689F7BA9EF65328B20003FF51596191EB39E9059B78

Function 0043D750 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32 ref: 0043D77C
OutputDebugStringW.KERNEL32(HHHHH EnableLinkedConnections : RegCreateKeyEx failed.), ref: 0043D78B
RegSetValueExW.KERNEL32(?,EnableLinkedConnections,00000000,00000004,?,00000004), ref: 0043D7B4

Strings

EnableLinkedConnections, xrefs: 0043D7A6
HHHHH EnableLinkedConnections : RegCreateKeyEx failed., xrefs: 0043D786
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0043D76A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateDebugOutputStringValue
String ID: EnableLinkedConnections$HHHHH EnableLinkedConnections : RegCreateKeyEx failed.$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3603988093-665858410
Opcode ID: 1858cdf8495606c1cca7374b77043af56f5a471c5aa78f0c3375a46d112f62f2
Instruction ID: 1df12e5fc98e8a3e359f454b7cd56c73d13499b8827705bee5f3ffaf8b18af06
Opcode Fuzzy Hash: 1858cdf8495606c1cca7374b77043af56f5a471c5aa78f0c3375a46d112f62f2
Instruction Fuzzy Hash: 09F0FFB5284300BBE310DB50DD4EF5E7BA4AB94B40F504418BB49E91D0E7F5A548D696

Function 0043CD90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000000FF), ref: 0043CDB0
RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0043CDD7
RegDeleteValueW.KERNEL32(00000000,SeetrolClientAutoStart), ref: 0043CDEA

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0043CDCD
SeetrolClientAutoStart, xrefs: 0043CDE4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateDeleteFileModuleNameValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SeetrolClientAutoStart
API String ID: 2517888766-3131795990
Opcode ID: d7fec28352beb399e99ebf6a35f6f027d0cf4adcb86aa933a0f8918f42696f4b
Instruction ID: 9dff9f72a20c65d1b7b99c026a905ed450ff2fe2bfbd125e8c6ea67d81fe8d2c
Opcode Fuzzy Hash: d7fec28352beb399e99ebf6a35f6f027d0cf4adcb86aa933a0f8918f42696f4b
Instruction Fuzzy Hash: 9FF062B4344300BBE320DB50CC9EF3E77A4FB58B00F50891DB656961D1D6746408DB56

Function 0042A9C0 Relevance: 7.7, APIs: 5, Instructions: 191windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0042AA8B
LoadBitmapW.USER32(?), ref: 0042AAB7
GetObjectW.GDI32(?,00000018,?), ref: 0042AADB
SetWindowRgn.USER32(?,00000000,00000001), ref: 0042AB38
SelectClipRgn.GDI32(?,?), ref: 0042AB54

Part of subcall function 0046C5BC: SelectObject.GDI32(?,?), ref: 0046C5C7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$Select$BitmapClipDeleteLoadWindow
String ID:
API String ID: 321049719-0
Opcode ID: 47f8c86e13153ded9631951df5492911580b9b0e1d7778bb534e9b1786e00547
Instruction ID: b4a3fc1651fe423969f71ba0e7ca9aa033c7b3f26086320547e88cca1159e450
Opcode Fuzzy Hash: 47f8c86e13153ded9631951df5492911580b9b0e1d7778bb534e9b1786e00547
Instruction Fuzzy Hash: 39715B713047419FD724DF65D895FABB7E9BF84304F40482EF59A87281EB38A848CB66

Function 004AE95D Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004AE97B

Part of subcall function 004C1CB7: __mtinitlocknum.LIBCMT ref: 004C1CCD
Part of subcall function 004C1CB7: __amsg_exit.LIBCMT ref: 004C1CD9
Part of subcall function 004C1CB7: RtlEnterCriticalSection.NTDLL(?), ref: 004C1CE1

___sbh_find_block.LIBCMT ref: 004AE986
___sbh_free_block.LIBCMT ref: 004AE995
RtlFreeHeap.NTDLL(00000000,?,0062FB48,0000000C,004B698F,00000000,?,004C4667,?,00000001,?,?,004C1C41,00000018,00630278,0000000C), ref: 004AE9C5
GetLastError.KERNEL32(?,004C4667,?,00000001,?,?,004C1C41,00000018,00630278,0000000C,004C1CD2,?,?,?,004B6A49,0000000D), ref: 004AE9D6

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 45cbeb0b30968d37438fd0af6716e4322d49efffd721b9bfaa98f939d1218143
Instruction ID: 0e24afaa36389243447c802a8da7bc4b0f269a3753df2f6f301878ec9e430451
Opcode Fuzzy Hash: 45cbeb0b30968d37438fd0af6716e4322d49efffd721b9bfaa98f939d1218143
Instruction Fuzzy Hash: E201A271900305ABDB607BB3AC0AB5F3B689F22725F20011FF520A62D1DB3C98409A6C

Function 00484C93 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00484CA2
GetSystemMetrics.USER32(0000000C), ref: 00484CA9
GetSystemMetrics.USER32(00000002), ref: 00484CB0
GetSystemMetrics.USER32(00000003), ref: 00484CBA
73A0A570.USER32(00000000,?,?,?,00463538,?,00464587,00000000,00000000), ref: 00484CC4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MetricsSystem$A570CallbackDispatcherUser
String ID:
API String ID: 1939568193-0
Opcode ID: 8fabf651fe0d1745f4ae5d9cb721fddaff93f2a2ea239d2383ad6f18143f9cbc
Instruction ID: c997203e106d7d233f157e5dcee7d89f25d3d019ee5dd44044e89707cd159688
Opcode Fuzzy Hash: 8fabf651fe0d1745f4ae5d9cb721fddaff93f2a2ea239d2383ad6f18143f9cbc
Instruction Fuzzy Hash: 5CF06DB1E40714AAEB105FB29C4EB2A7FA8EB44721F005817E7058B281CBB598448FD0

Function 0045DA93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 0045DAE7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 834125e1c88b35b1ba32d6837cbe2b736cbf8e5e8719fe1d4b8edbb9a6270b61
Instruction ID: 5594bac586535b97ac3020e1c9fd1d6664b481da0700429a0e5193dcc0fa1aa7
Opcode Fuzzy Hash: 834125e1c88b35b1ba32d6837cbe2b736cbf8e5e8719fe1d4b8edbb9a6270b61
Instruction Fuzzy Hash: F7118232B00201B7EA352A268C09F5FB6AAAF44752F15052BFD01D22B3DBA8EC59D55D

Function 0040A230 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A253
_sprintf.LIBCMT ref: 0040A269

Strings

wbc, xrefs: 0040A29A
%s\SeetrolClient.cfg, xrefs: 0040A263

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset_sprintf
String ID: %s\SeetrolClient.cfg$wbc
API String ID: 1557529856-359083340
Opcode ID: 8d6d70423b704a3e427f2d5c386728f1d9c9a4ad84a2d7c0a4f203cea5237483
Instruction ID: f924b68c1fa9ecd78f1844f5d8bfbdd237890ff6221351cd112cecfb7a498b32
Opcode Fuzzy Hash: 8d6d70423b704a3e427f2d5c386728f1d9c9a4ad84a2d7c0a4f203cea5237483
Instruction Fuzzy Hash: 3C11063154570076E230B765CC87FDB7298AFA5714F80481EBA095A1C2EBBD914086D6

Function 0043FB50 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0043FB8C
RtlEnterCriticalSection.NTDLL(?), ref: 0043FBA4
RtlLeaveCriticalSection.NTDLL(?), ref: 0043FBCC
RtlLeaveCriticalSection.NTDLL(?), ref: 0043FC48

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ffee485ae5ee4192ee486a61830ce3c0f75b1a77ba848de49c64791e8aa33496
Instruction ID: ac3670d4bd68f8d3305dedd3695b80cea267f08b21252894232b5d5670b6b927
Opcode Fuzzy Hash: ffee485ae5ee4192ee486a61830ce3c0f75b1a77ba848de49c64791e8aa33496
Instruction Fuzzy Hash: 6D318EB1A047098BCB24DF65C88495BB7E9FF98304F10593EE94687341D734E90ACB96

Function 0043F630 Relevance: 6.0, APIs: 4, Instructions: 25sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0043E5D0: GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 0043E60C
Part of subcall function 0043E5D0: _sprintf.LIBCMT ref: 0043E62D
Part of subcall function 0043E5D0: DeleteFileA.KERNEL32(?), ref: 0043E650
Part of subcall function 0043E5D0: Sleep.KERNEL32(0000001E), ref: 0043E658
Part of subcall function 0043E5D0: _sprintf.LIBCMT ref: 0043E673
Part of subcall function 0043E5D0: DeleteUrlCacheEntry.WININET(?), ref: 0043E683
Part of subcall function 0043E5D0: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0043E698
Part of subcall function 0043E5D0: _sprintf.LIBCMT ref: 0043E6F5
Part of subcall function 0043E5D0: DeleteUrlCacheEntry.WININET(?), ref: 0043E705

Sleep.KERNEL32(000003E8), ref: 0043F644
GetDesktopWindow.USER32 ref: 0043F64A
GetWindowRect.USER32(00000000,?), ref: 0043F656
__endthread.LIBCMT ref: 0043F67B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Delete_sprintf$CacheEntryFileSleepWindow$DesktopDirectoryDownloadRectSystem__endthread
String ID:
API String ID: 140231576-0
Opcode ID: a99b9e43d78d2746af8b82b211f060398b451fd35082f4f1fe1952f741be52ee
Instruction ID: c1789663454504b56c51f2f3b133d1629177a145f5cef17ad1be8badc3a05fda
Opcode Fuzzy Hash: a99b9e43d78d2746af8b82b211f060398b451fd35082f4f1fe1952f741be52ee
Instruction Fuzzy Hash: 5FE0E5711042029FC204FF68DA9E89F73A9AF98304F40491DF48A531D1DB34E90DCBA7

Function 00409EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00409ED6
_fwscanf.LIBCMT ref: 00409F08

Part of subcall function 004AC077: _vfscanf.LIBCMT ref: 004AC08D

Part of subcall function 004ACA73: __wcstoi64.LIBCMT ref: 004ACA7F

Strings

%s\_latestcon_.txt, xrefs: 00409ED0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __wcstoi64_fwscanf_sprintf_vfscanf
String ID: %s\_latestcon_.txt
API String ID: 1932905854-2548858172
Opcode ID: 366a51995f28699fca6444d44ac03a61067292a0a2def956890a52acad2b2f6a
Instruction ID: 31787fd0493cacec65fedf37e931fa5be6b78b14380685a03dcae477d2bb8924
Opcode Fuzzy Hash: 366a51995f28699fca6444d44ac03a61067292a0a2def956890a52acad2b2f6a
Instruction Fuzzy Hash: 970162B15147009AD324EB65CC42FEBB6E8FBA6704F400A2FF55583182EB7995048AA6

Function 004E7970 Relevance: 4.7, APIs: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004E7A12
_malloc.LIBCMT ref: 004E7A70
_malloc.LIBCMT ref: 004E7B89

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4fad2d60b6d41da04f3d601caaff16ffc1d55dc863b485a8cadef1846e63aba8
Instruction ID: f507d7044fc43d2899815fc1669535b48904246bb1d4c1f70c3aa7bc347828f8
Opcode Fuzzy Hash: 4fad2d60b6d41da04f3d601caaff16ffc1d55dc863b485a8cadef1846e63aba8
Instruction Fuzzy Hash: 0F6159B15087455AC630AB3B9C81B2B76D5AF40339F014A7FF166C73C2E67CE5028BA9

Function 00452640 Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00452662
waveOutPrepareHeader.WINMM(?,?,00000020), ref: 004526EE
waveOutWrite.WINMM(?,?,00000020), ref: 00452706

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$Header$PrepareUnprepareWrite
String ID:
API String ID: 3744454087-0
Opcode ID: bb01e096a1fb93735d179c61d93d335107456b9f47d50a796f2519e1ab2e0238
Instruction ID: ee2edf0f983a53ff84427a6022d95ea59a364b16be3c8b9937adf72b74781bd7
Opcode Fuzzy Hash: bb01e096a1fb93735d179c61d93d335107456b9f47d50a796f2519e1ab2e0238
Instruction Fuzzy Hash: 47312774500F108AD364CF28C58877677F4FB48B09F90895ED96B8AA51EB76E987CB40

Function 0047A8D0 Relevance: 4.5, APIs: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000030,00000000,00000000,00000000), ref: 0047A89E
TranslateMessage.USER32(00000030), ref: 0047A8BD
DispatchMessageW.USER32(00000030), ref: 0047A8C4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: 3ee033fd3930601dad43eaa4c2b62aed49fa77d5c7c634f71569cc45901c7861
Instruction ID: 58e440ab978645633ddd6994edc20489f584eb00c20a8ea9060526c735eb9cab
Opcode Fuzzy Hash: 3ee033fd3930601dad43eaa4c2b62aed49fa77d5c7c634f71569cc45901c7861
Instruction Fuzzy Hash: ACF09031201100AB972577219948DBF33ACFBD1755706846EF406CA400DB2C985BEA57

Function 0043F5C0 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000056,00000001,00000000,00000000), ref: 0043F5D2
SystemParametersInfoW.USER32(00000056,00000000,00000000,00000000), ref: 0043F5EB
SendMessageW.USER32(?,00000112,0000F170,000000FF), ref: 0043F605

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: InfoParametersSystem$MessageSend
String ID:
API String ID: 3675817773-0
Opcode ID: df26b567bf51d9e93ca8a2a01abb9e6f3949f91289c007438d25439f85a8afd7
Instruction ID: 2f6f8828c51731ca26109d3d7c527c9af4a40638d7e6bf01e5e6bbbe7273a116
Opcode Fuzzy Hash: df26b567bf51d9e93ca8a2a01abb9e6f3949f91289c007438d25439f85a8afd7
Instruction Fuzzy Hash: ABF06532A85720F7E6310E105C0FFAB7210AB28F71F154656B7523F1D286E46D44A68A

Function 004AD05A Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_flsall.LIBCMT ref: 004AD06E

Part of subcall function 004ACF80: __lock.LIBCMT ref: 004ACF96
Part of subcall function 004ACF80: __fflush_nolock.LIBCMT ref: 004ACFE9
Part of subcall function 004ACF80: __fflush_nolock.LIBCMT ref: 004AD004

__lock_file.LIBCMT ref: 004AD079
__fflush_nolock.LIBCMT ref: 004AD085

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __fflush_nolock$__lock__lock_file_flsall
String ID:
API String ID: 3191677874-0
Opcode ID: 940bb0a24c1defeee92f8620e6c7c2830be0a375c66a8c8a624b1dff277aa6d9
Instruction ID: 9d91560a0ceccda5f9344cd3a75b84871ee1ce84a914a3d2a3cea24c9140a19b
Opcode Fuzzy Hash: 940bb0a24c1defeee92f8620e6c7c2830be0a375c66a8c8a624b1dff277aa6d9
Instruction Fuzzy Hash: 2DE09270C08618EACB61BFB5D84198E7F706F11759F60822FF019291D1CB3C06839B9C

Function 004AFA86 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004AFA92

Part of subcall function 004B699E: __getptd_noexit.LIBCMT ref: 004B69A1
Part of subcall function 004B699E: __amsg_exit.LIBCMT ref: 004B69AE

__endthreadex.LIBCMT ref: 004AFAA2

Part of subcall function 004AFA49: __IsNonwritableInCurrentImage.LIBCMT ref: 004AFA5C
Part of subcall function 004AFA49: __getptd_noexit.LIBCMT ref: 004AFA6C
Part of subcall function 004AFA49: __freeptd.LIBCMT ref: 004AFA76
Part of subcall function 004AFA49: RtlExitUserThread.NTDLL(?,?,004AFAA7,00000000), ref: 004AFA7F
Part of subcall function 004AFA49: __XcptFilter.LIBCMT ref: 004AFAB3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: ebca13903f06e878826f9be8ca64a09f9ddd1eff219fde0c2561393131cd26cf
Instruction ID: 2ce176c9bbcddf877b570b3897d3f1cacc1c9e1ff0e38721ca28e241f852ceb6
Opcode Fuzzy Hash: ebca13903f06e878826f9be8ca64a09f9ddd1eff219fde0c2561393131cd26cf
Instruction Fuzzy Hash: 40E0E6B15006009FD708BBE1D816E6E77759F44706F11419EF1016B2A2CA799954DA25

Function 004AFCB2 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004AFCBE

Part of subcall function 004B699E: __getptd_noexit.LIBCMT ref: 004B69A1
Part of subcall function 004B699E: __amsg_exit.LIBCMT ref: 004B69AE

__endthread.LIBCMT ref: 004AFCCE

Part of subcall function 004AFC69: __IsNonwritableInCurrentImage.LIBCMT ref: 004AFC78
Part of subcall function 004AFC69: __getptd_noexit.LIBCMT ref: 004AFC88
Part of subcall function 004AFC69: CloseHandle.KERNEL32(?,?,004AFCD3), ref: 004AFC9C
Part of subcall function 004AFC69: __freeptd.LIBCMT ref: 004AFCA3
Part of subcall function 004AFC69: RtlExitUserThread.NTDLL(00000000,?,004AFCD3), ref: 004AFCAB
Part of subcall function 004AFC69: __XcptFilter.LIBCMT ref: 004AFCDF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __getptd_noexit$CloseCurrentExitFilterHandleImageNonwritableThreadUserXcpt__amsg_exit__endthread__freeptd__getptd
String ID:
API String ID: 2659990245-0
Opcode ID: bc28bcb503fb1b60ba19fd27735305a52a8664956d4a56a339d3cdf3b9fd1684
Instruction ID: 9314629f8c229bc7e6187d77da896eb7a0b56d1b139d8961990faaa2b49d2dd9
Opcode Fuzzy Hash: bc28bcb503fb1b60ba19fd27735305a52a8664956d4a56a339d3cdf3b9fd1684
Instruction Fuzzy Hash: 3EE08CB0500600DFD708ABA2D806EAE7731EF04716F21019EF0012B2A2CB3DA900EA28

Function 00451CD0 Relevance: 3.1, APIs: 2, Instructions: 91timeCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,00000005,9F5E49E1,75A84920,00EFDE10,?,00000000,004FC090,000000FF,00446143,00000000,00000000,0050D4D8), ref: 00451D49
KillTimer.USER32(?,00002B03,00000000,9F5E49E1,75A84920,00EFDE10,?,00000000,004FC090,000000FF,00446143,00000000,00000000,0050D4D8,?,0050D4E4), ref: 00451D75

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: InvalidateKillRectShowTimerWindow
String ID:
API String ID: 2926514257-0
Opcode ID: 3ad96e683a3d8906ec69fec241b19334481f5d4c88d9bb144a47eb2c77fbb57e
Instruction ID: a9d930ffdc249dca87f500121f06408832316f7bccebffb312e5afd1c3899bc8
Opcode Fuzzy Hash: 3ad96e683a3d8906ec69fec241b19334481f5d4c88d9bb144a47eb2c77fbb57e
Instruction Fuzzy Hash: C631AF31204B019FD314CF28C845B67B7F8BB88329F148B1EF166872E1CB38A909CB95

Function 00439CB0 Relevance: 3.1, APIs: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00439D29
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00439D38

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: IconNotifyShell__wcsncpy
String ID:
API String ID: 3337414962-0
Opcode ID: d011a43b6b1f8af761dc3d3800df52433f591356d7aa51df4e357da033ad1f4b
Instruction ID: ed0cb2552b5f28e150c01747d8376396f06ed38ce729b07bc2de120dec0ac1db
Opcode Fuzzy Hash: d011a43b6b1f8af761dc3d3800df52433f591356d7aa51df4e357da033ad1f4b
Instruction Fuzzy Hash: F511E572608300ABD325DF55E842FABB7ACEF98710F00541EF94AD7280DB74AA44C7D6

Function 004ACD0E Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004ACD3B
__lock_file.LIBCMT ref: 004ACD66

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: d7760b09142171d6d4afdcb80112d7e36997fd3c09e4c28a85bf4322bc945eb7
Instruction ID: 42243ab504d9d4b39945a06aa52d02152b5e1df27209f944fe132a044ac42e95
Opcode Fuzzy Hash: d7760b09142171d6d4afdcb80112d7e36997fd3c09e4c28a85bf4322bc945eb7
Instruction Fuzzy Hash: FD014071C00219EBCF61AFA5CC424DF3F31AF26755F00812AF814151A1D7398662DFD5

Function 0047ADDA Relevance: 3.0, APIs: 2, Instructions: 40threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0047ADE1

Part of subcall function 0045D7D6: _malloc.LIBCMT ref: 0045D7F4

Part of subcall function 0047A7A9: __EH_prolog3.LIBCMT ref: 0047A7B0

Part of subcall function 0047A625: SetThreadPriority.KERNEL32(?,?,?,0047AE38,?,?,?,?,00000004,004528B8,00452730,?,0000000F,00000000,00000004,00000000), ref: 0047A630

ResumeThread.KERNEL32(?,?,?,?,?,00000004,004528B8,00452730,?,0000000F,00000000,00000004,00000000,?,?,004387FD), ref: 0047AE41

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: H_prolog3Thread$PriorityResume_malloc
String ID:
API String ID: 3956167790-0
Opcode ID: cb0dedc4492c08d0268f0b3995f6c105b81e87181a6f7da2b50fa1c2e8312906
Instruction ID: 691ebd52db1fa19d506d686bb54509bcdcfbe9df656cbac41c3182335ce2987e
Opcode Fuzzy Hash: cb0dedc4492c08d0268f0b3995f6c105b81e87181a6f7da2b50fa1c2e8312906
Instruction Fuzzy Hash: AB01D671600205AFDF16AF65C801AAF3AA1AF48714F10851AF94AD62A1C7398D319BD9

Function 004ABEF1 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 004B0DAA: __getptd_noexit.LIBCMT ref: 004B0DAA

Part of subcall function 004AD613: __decode_pointer.LIBCMT ref: 004AD61E

__lock_file.LIBCMT ref: 004ABF41

Part of subcall function 004BC881: __lock.LIBCMT ref: 004BC8A6

__fclose_nolock.LIBCMT ref: 004ABF4B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 717694121-0
Opcode ID: e47a0bfbb437cf64d45b2e20b566945e43fc4ce308b783d0be517a6ebc0cd637
Instruction ID: 1e4875a7605a2e4eb2a8466746ab85574eddbdeb1067706bb85f52f6f7d0ce6f
Opcode Fuzzy Hash: e47a0bfbb437cf64d45b2e20b566945e43fc4ce308b783d0be517a6ebc0cd637
Instruction Fuzzy Hash: E5F04F70C0060499C721AB7A8C42A9F7AA4AF66324F25835BF479E61D2CB3C55429E9E

Function 004785C2 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004784E6: _memset.LIBCMT ref: 004784F7
Part of subcall function 004784E6: GetParent.USER32(?), ref: 00478517

_memcpy_s.LIBCMT ref: 004785ED
SendMessageW.USER32(?,00000432,00000000,?), ref: 0047860F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageParentSend_memcpy_s_memset
String ID:
API String ID: 1835637408-0
Opcode ID: 2ce0b362ed88517556852155bbb447520653f71fc65d790c28cce022fcd18489
Instruction ID: 35209bd0a75116e1fa5a517779ce5f85d4287aaa12fe93cccc0cca794521ed6d
Opcode Fuzzy Hash: 2ce0b362ed88517556852155bbb447520653f71fc65d790c28cce022fcd18489
Instruction Fuzzy Hash: 74F0907290020DBBDF20AFA0CC0AFDE7B68FB04304F00441AB94462192EAB4E620DB98

Function 00463B2A Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00483F14: __EH_prolog3.LIBCMT ref: 00483F1B

GetCurrentThreadId.KERNEL32 ref: 00463B59
SetWindowsHookExW.USER32(00000005,0046390A,00000000,00000000), ref: 00463B69

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CurrentException@8H_prolog3HookThreadThrowWindows
String ID:
API String ID: 1226552664-0
Opcode ID: d5657bdfeefdd455f8654f3aeaaae533940700923eb187196dcba21c96b92062
Instruction ID: e55a1c105527e66b85e689c04e19db634b15a9f07a9e3a3c31ed86af4dfc0cdf
Opcode Fuzzy Hash: d5657bdfeefdd455f8654f3aeaaae533940700923eb187196dcba21c96b92062
Instruction Fuzzy Hash: B3F0E93154074097C7306F62580571BBAB4DFD0F63F11012FF64546241EB34A90487EF

Function 0040B3F0 Relevance: 3.0, APIs: 2, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(?), ref: 0040B3F7
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040B40E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AllocCriticalInitializeSectionVirtual
String ID:
API String ID: 331916362-0
Opcode ID: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction ID: 5f5e25e211d7ee3546f546737dfe86325344301b4b4223064383ff62440cba73
Opcode Fuzzy Hash: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction Fuzzy Hash: 09F03A752007018FC728CF28D959F96B7E9FB68314F00C91ED59A8BA90D735B5058B44

Function 0040B470 Relevance: 3.0, APIs: 2, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(?), ref: 0040B477
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040B48E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AllocCriticalInitializeSectionVirtual
String ID:
API String ID: 331916362-0
Opcode ID: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction ID: c71ae779a433aaf043c5651ffcf6bb020ac340cc61ef6bb4ce6d8a5c54e082fd
Opcode Fuzzy Hash: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction Fuzzy Hash: 09F03A75200B018FC728CF28D959F96B7E9FBA8314F00C91EDA9A8BA90D735B5058B44

Function 0040B4F0 Relevance: 3.0, APIs: 2, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(?), ref: 0040B4F7
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040B50E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AllocCriticalInitializeSectionVirtual
String ID:
API String ID: 331916362-0
Opcode ID: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction ID: f7fa80ce93e383ff8e9fbd25fe0066dee27a45c29acc95435a8e17047fe2ac38
Opcode Fuzzy Hash: 714b38027257c10e1ecb8dc082fd9536267312d208dbd9a417c7689026754d39
Instruction Fuzzy Hash: 46F03A752007019FC728CF28D959F96B7E9FB68314F00895ED59A8BA90D731B4058B44

Function 004677E5 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004677F9

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

SetWindowTextW.USER32(?,?), ref: 00467821

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$Exception@8TextThrow
String ID:
API String ID: 735465941-0
Opcode ID: b0eb1a2f0108715ba6cf5ac081ff6a3d804ff0652a593e7145662b81055c348a
Instruction ID: 05583e94e4d3d1c45e4e06354e0e6ada648b4110ca79778efaccf72755211059
Opcode Fuzzy Hash: b0eb1a2f0108715ba6cf5ac081ff6a3d804ff0652a593e7145662b81055c348a
Instruction Fuzzy Hash: 6BF06532104714DBCB316B64D808A97B7E5FF5436AF00457BE48582A20EB75EC54DB96

Function 00415830 Relevance: 2.6, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000010,00EFDE10,?,00000000,0044E19D,00509080,00000001,00000001,0000043A,00000001), ref: 0041584F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000010,-00000001,?,00000000,0044E19D,00509080,00000001,00000001,0000043A,00000001,00000000,00000001), ref: 00415881

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ByteCharMultiWide$_memcpy_s
String ID:
API String ID: 1203716505-0
Opcode ID: ebe59281a9745d5aef1c0b7699dcf06c939c2735b3bb3362653bd2caee5f0919
Instruction ID: d6006de0d040f6ea61c7d54d4cdae8ae9848a47eac97281d38c4fe11d3dd990c
Opcode Fuzzy Hash: ebe59281a9745d5aef1c0b7699dcf06c939c2735b3bb3362653bd2caee5f0919
Instruction Fuzzy Hash: F3010832301611AFD110AA5ECC89F6FF78DDFD0771F24422BB214AB2D4CE615C1147A8

Function 0042B710 Relevance: 1.6, APIs: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000401,00000001,00000000), ref: 0042B7DB

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 00478732: IsWindow.USER32(?), ref: 00478741
Part of subcall function 00478732: SendMessageW.USER32(?,00000439,00000000,?), ref: 0047878E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$Window_memcpy_s
String ID:
API String ID: 2213822615-0
Opcode ID: 7989fd9e0b17ddc741d8b6b7dfc38838960a7a04501abcb97cca3b4a0fd117dc
Instruction ID: 10a6ec72c5594cf206b1db904af1edfe0864e0527fc71e8e30528aeb11ba2997
Opcode Fuzzy Hash: 7989fd9e0b17ddc741d8b6b7dfc38838960a7a04501abcb97cca3b4a0fd117dc
Instruction Fuzzy Hash: 7D4148712047419FD314CB29CC81B5BB3E5BFC5324F14871EE16A8B2E1DB78A905CB99

Function 00438B00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00438BD3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: ab14c3348c9c4208fbe637bab694f78cf73439b18427d73ffa1c583ded86dad7
Instruction ID: 2dee80e361fd3232d46d76e0934cfc635d2155df94243023df8454c5812c5b73
Opcode Fuzzy Hash: ab14c3348c9c4208fbe637bab694f78cf73439b18427d73ffa1c583ded86dad7
Instruction Fuzzy Hash: 7521F4F9501F005BD3609B62E884BA7F3E8EB58708F14882FF65647241EF39B8048B69

Function 00452420 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00452471

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: d3e7fd40ce842cc48614c5a7faa717026c6e2116167b1843f685f497f5069154
Instruction ID: ec0ab1c619b56860b760f783d64305f879cd42c995ab731da27b5a8bdc4a1983
Opcode Fuzzy Hash: d3e7fd40ce842cc48614c5a7faa717026c6e2116167b1843f685f497f5069154
Instruction Fuzzy Hash: ED0129B19017059FD760DF69C841796BBE8FB19314F108A2FE86DC7641E370A5488B80

Function 004625E0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,10000000), ref: 0046260A

Part of subcall function 0046258D: GetWindow.USER32(?,0046262B), ref: 00462598

Part of subcall function 004678D7: IsWindowEnabled.USER32(?), ref: 004678E0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$EnabledRect
String ID:
API String ID: 686447027-0
Opcode ID: a23b73de20433f6d96421440a8771181aad4e3dd4460004ab4d3319e98f588a4
Instruction ID: 5055467ce9d2f44e0ac1357a3a43c83d02e29c8af5598c7c0aa0e5c1b83463f9
Opcode Fuzzy Hash: a23b73de20433f6d96421440a8771181aad4e3dd4460004ab4d3319e98f588a4
Instruction Fuzzy Hash: 54018F30300516ABDF14EF25CA55B7F33A5AF60314F40445AED06A7380FBB8ED12874A

Function 00483F14 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00483F1B

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 57875386a552ee32f64569ba0967fa739a11c33777a4205db531cf19c0f5c029
Instruction ID: 5b537a06edd8d2746150956bd710de9b34330f386c57375a3e97e4047ae9b064
Opcode Fuzzy Hash: 57875386a552ee32f64569ba0967fa739a11c33777a4205db531cf19c0f5c029
Instruction Fuzzy Hash: E7017535A002079BDB24FF26C81562E75B2AB5475AF10592EF74187390EF38CA00CB99

Function 0040A680 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

NetWkstaGetInfo.NETAPI32(00000000,00000064,?), ref: 0040A6B4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: InfoWksta
String ID:
API String ID: 30969799-0
Opcode ID: e28c1c64a2702c5cedebaaaa6a38382c57d182edb4265f609173f959171c0d8a
Instruction ID: de71ddbf19bff751b1512dece9c1672f47c4a75db0ab9b28c224a344ddf78551
Opcode Fuzzy Hash: e28c1c64a2702c5cedebaaaa6a38382c57d182edb4265f609173f959171c0d8a
Instruction Fuzzy Hash: 0C01D6702142019FD348DF14D440B1AB7A5BB98310F10C92EF889CB3A0DAB5D850CF55

Function 0045EF5B Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,0045EFE1,00000000,000000EC,00000200,00000000,004185B4,?,004677D5), ref: 0045EFA0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: c6438475a4df9d7aa52f96bbbb631b97d17dd57ba5486f51ed7152233fd1cbf6
Instruction ID: 2f62aef39efca28d41eed430fd130546fa948d70f5eef3bc5cb73d8fc1daeda1
Opcode Fuzzy Hash: c6438475a4df9d7aa52f96bbbb631b97d17dd57ba5486f51ed7152233fd1cbf6
Instruction Fuzzy Hash: 2EF01C36120109BFDF099F61DC098AE3BA5EF18352B10842AFC1AC5161DB31DA65AA64

Function 0042A590 Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0042A5DD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b4e626c311e03cca14ad7d549664a22557ee3bb31091b08b81198acf0257e1c1
Instruction ID: 83f97fbc6b740ca85669d3ab1405ac87f8f6c4f847c2b8b2ac6eac0f78e24351
Opcode Fuzzy Hash: b4e626c311e03cca14ad7d549664a22557ee3bb31091b08b81198acf0257e1c1
Instruction Fuzzy Hash: 7EF0AFB4A083009FD310DF19C584B2ABBE0BB98704F508A6EF8C89B251D635D9558F96

Function 00438F90 Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000), ref: 00438FDA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f21bf3283de0b3085fff119e80e6f98479fb10e58e676101683037dfd2adb1c3
Instruction ID: abd6028fbf4ea906d7b528dd8c6ec6cc9be9c5286a5a92210016a7effe12659c
Opcode Fuzzy Hash: f21bf3283de0b3085fff119e80e6f98479fb10e58e676101683037dfd2adb1c3
Instruction Fuzzy Hash: 88F03AB46053409FE325DF64C856F5AB7F4EB99304F40A80DA1898B291EA7596448F82

Function 004031A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006), ref: 004031B7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: c765c28986b0eee8367dffb34489c5e0ec388246e642edef7df9636bf7137904
Instruction ID: dfd1929a54cb5273a5399baf680dfb02386b32efaa60d9ffc5d2f79bf2414fc5
Opcode Fuzzy Hash: c765c28986b0eee8367dffb34489c5e0ec388246e642edef7df9636bf7137904
Instruction Fuzzy Hash: 49D0C2362140203AD1111A0A7C059BB679CCBC5A36F01402FF881EA280D2349C03A5B1

Function 0045FC28 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00628830,00000014,0047CEB0,RICHED20.DLL,0047CDEA,?,0043B43B), ref: 0045FC61

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d1cab5733726f370a59a3728a63fe2cf4cf2a7bd4072d47154b3b183cfe8558
Instruction ID: d8162b75be011d5adf6ba7f8cb75f89d317de6d01f8dbe3a6bb3f4f40202c3e8
Opcode Fuzzy Hash: 7d1cab5733726f370a59a3728a63fe2cf4cf2a7bd4072d47154b3b183cfe8558
Instruction Fuzzy Hash: 16F05870C00208EECB01AFF5CC459DEBAB0BF08305F60413EE815A61A2DB384A49AF29

Function 0045D7D6 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0045D7F4

Part of subcall function 004AE893: __FF_MSGBANNER.LIBCMT ref: 004AE8B6
Part of subcall function 004AE893: __NMSG_WRITE.LIBCMT ref: 004AE8BD
Part of subcall function 004AE893: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 004AE90A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: b58773a85620d5dbee4b47c5aba6af146862abf4f1198f9cd4a61b08e29000b1
Instruction ID: 3ac0b852d3335f7a8e971f2242611c4634840818911431d39d74deb4dd19209e
Opcode Fuzzy Hash: b58773a85620d5dbee4b47c5aba6af146862abf4f1198f9cd4a61b08e29000b1
Instruction Fuzzy Hash: 14D02B36E04116374B31759ADC00A577B49CF417B17340037FC18C7711DA24DC4153D8

Function 00467722 Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 0046774E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: bc8b4485f5cd7fa4dbbd7a9123765b52ad6fe96400e0bc00737a45f1267623a6
Instruction ID: c2bf895f72baf39617cde71fde6404f0e842d00ed5d6d31f3fd08dfe0fc09422
Opcode Fuzzy Hash: bc8b4485f5cd7fa4dbbd7a9123765b52ad6fe96400e0bc00737a45f1267623a6
Instruction Fuzzy Hash: 7AE04F32200204EBCB116B99C8088C67BA9FF89365B005066F94587520DBB5EC50EBD5

Function 004678F2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00467903

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8468177838c4d77f30ef241d668f3ec3a1f5aaf2482befb99a0b141382e11b6d
Instruction ID: 2dc1bc113f723485765a8f5dc5a68f60a6cef62ba8b1fff759c9f9cd9409f89d
Opcode Fuzzy Hash: 8468177838c4d77f30ef241d668f3ec3a1f5aaf2482befb99a0b141382e11b6d
Instruction Fuzzy Hash: 4ED05E72100208DFD700CB00D408F7537A5FB54319F2400A9E5080E621CB339866DB40

Function 004678B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 004678C1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e5ce5225fea14b3a31c0d998d34b300d211ce9bd86ff1fc3a8635544788c0640
Instruction ID: dd65c1aba2ebbce0895939cfe18a33b3e46ea61d88b56c63de736ae972e2b994
Opcode Fuzzy Hash: e5ce5225fea14b3a31c0d998d34b300d211ce9bd86ff1fc3a8635544788c0640
Instruction Fuzzy Hash: 33D05272100608DFCB009F00D808BB93BA5FB98319F2000A9E1080E632C7339826EB40

Function 0041DBE0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,?,?,?,?), ref: 0041DBF8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 62142b7498c8dbff72a69670f94a726324b47c6380c45ecb83a6aa637678c0be
Instruction ID: 03ca0caeca675ed734d6726b1c003942184fc922bcda8146b786d402a40266ec
Opcode Fuzzy Hash: 62142b7498c8dbff72a69670f94a726324b47c6380c45ecb83a6aa637678c0be
Instruction Fuzzy Hash: 89D0C2BA604200BFC640CA98C984D1BB7E9ABD8710F10C908B199C3215C231E8459B61

Function 004F3D8F Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 004F3D9A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
Instruction ID: 08b350b6b8d76abf8e86f39cfa31682f295147d328a03dc0266525518e4c4af9
Opcode Fuzzy Hash: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
Instruction Fuzzy Hash: C9C09B7305810D7F5F155EE6FC01C553F59D681774B108116F91C89591DD32D5515544

Function 0047A625 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?,?,0047AE38,?,?,?,?,00000004,004528B8,00452730,?,0000000F,00000000,00000004,00000000), ref: 0047A630

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: PriorityThread
String ID:
API String ID: 2383925036-0
Opcode ID: fa9f0c75dbf9431813db0d2e20f52fbeaa047fe4c1dd9f23948990ba433726de
Instruction ID: 1c55c526829ea2288788db64fa1ce1844db48cc75925326e1d4cf13c06cd3a29
Opcode Fuzzy Hash: fa9f0c75dbf9431813db0d2e20f52fbeaa047fe4c1dd9f23948990ba433726de
Instruction Fuzzy Hash: 5BB09B77000108B7C7111B91EC08C457F29D7943507108011F5080502187339435E654

Function 00445840 Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 004458B9

Part of subcall function 00458A00: _memset.LIBCMT ref: 00458A88
Part of subcall function 00458A00: _memset.LIBCMT ref: 00458A98

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset$Sleep
String ID:
API String ID: 1325827320-0
Opcode ID: 87c72dbd3861972bb195618941e3c32923d0d5fbff2ea07df87bb39d7662d126
Instruction ID: 441ce1436a6b6d9c31d6288d38d78d2119571ae654709c5a9a8975d1943d9ac6
Opcode Fuzzy Hash: 87c72dbd3861972bb195618941e3c32923d0d5fbff2ea07df87bb39d7662d126
Instruction Fuzzy Hash: 0101F1B1640701A6E660A7609C06BDB32D05F85719F04082EBA6A6A2C3DFFC7848C69E

Non-executed Functions

Function 0040F4B0 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 237processCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0040F4E4
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F5
Process32FirstW.KERNEL32 ref: 0040F51C
ProcessIdToSessionId.KERNEL32(?,00000000), ref: 0040F580
Process32NextW.KERNEL32(00000000,?), ref: 0040F599

Strings

SeDebugPrivilege, xrefs: 0040F679
winsta0\default, xrefs: 0040F637
D, xrefs: 0040F62F
explorer.exe, xrefs: 0040F530
CreateProcessAsUser error code = %u, xrefs: 0040F74C
Wtsapi32.dll, xrefs: 0040F5D9
WTSQueryUserToken, xrefs: 0040F5EC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Process32Session$ActiveConsoleCreateFirstNextProcessSnapshotToolhelp32
String ID: CreateProcessAsUser error code = %u$D$SeDebugPrivilege$WTSQueryUserToken$Wtsapi32.dll$explorer.exe$winsta0\default
API String ID: 454700112-1816117144
Opcode ID: b792f76fef3c5821c6adff19624aa1018e188ca8ee915fc4b960e557e13d87fa
Instruction ID: 868e8af321bef8526ebb9efdd5a819997cebe86c1a8e1c3569e5be862766a823
Opcode Fuzzy Hash: b792f76fef3c5821c6adff19624aa1018e188ca8ee915fc4b960e557e13d87fa
Instruction Fuzzy Hash: 21816BB1508345ABD320EF65CC84E6FB7E9FF98704F00492EF58593291E678E908CB66

Function 004234C0 Relevance: 38.1, APIs: 25, Instructions: 629keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00423504

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: cda97fcf1e5ea7301ed853fe661820a29dcc781d19fd551a5f716e902f241770
Instruction ID: ca37fc7e87758ba66a1c9c661f53c1d4395f06425dc7385a2ffed30279bff0dc
Opcode Fuzzy Hash: cda97fcf1e5ea7301ed853fe661820a29dcc781d19fd551a5f716e902f241770
Instruction Fuzzy Hash: A722E4703047119BD724DF25D885BABB3F5BFC8705F54091EF28697281DABCEA818B4A

Function 0043D150 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 229keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(003E003C,00000000,00000000,00000000), ref: 0043D293
keybd_event.USER32(00000010,00000000,00000000,00000000), ref: 0043D2BE
keybd_event.USER32(?,00000000,00000000,00000000), ref: 0043D2CB
keybd_event.USER32(?,00000000,00000000,00000000), ref: 0043D2F4
keybd_event.USER32(?,00000000,00000000,00000000), ref: 0043D317
keybd_event.USER32(-00000030,00000000,00000002,00000000), ref: 0043D3C7
keybd_event.USER32(00000010,00000000,00000002,00000000), ref: 0043D3D1

Strings

~_+|{}:"<>?, xrefs: 0043D1CD
`-=\[];',./, xrefs: 0043D192
)!@#$%^&*(, xrefs: 0043D15F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: keybd_event
String ID: )!@#$%^&*($`-=\[];',./$~_+|{}:"<>?
API String ID: 2665452162-1702758438
Opcode ID: 79827c27a04c31f6193528c5d0e888c030a9f92a9200f2092648555a9df14570
Instruction ID: cb513ce823521757d684d4d74611f3cd45a4f19bc5899ee902defe0185a1636b
Opcode Fuzzy Hash: 79827c27a04c31f6193528c5d0e888c030a9f92a9200f2092648555a9df14570
Instruction Fuzzy Hash: DA81E974648342AAF3308F289C82F5F7BE0BB99B10F50451EFAD45A3D0C7B4A9459B5A

Function 00432AD0 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 297fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0045D7D6: _malloc.LIBCMT ref: 0045D7F4

_memset.LIBCMT ref: 00432B43
_sprintf.LIBCMT ref: 00432B71
FindFirstFileA.KERNEL32(00000000,00000000), ref: 00432B7B
_sprintf.LIBCMT ref: 00432C6D
_sprintf.LIBCMT ref: 00432D0C
FindNextFileA.KERNEL32(?,?), ref: 00432DC7
FindClose.KERNEL32(?), ref: 00432DE4

Strings

%s\*.*, xrefs: 00432B6B
%s%s, xrefs: 00432C5B, 00432CF6, 00432D86
%s*.*, xrefs: 00432B64
%s\%s, xrefs: 00432C67, 00432D02, 00432D92
Thumbs.db, xrefs: 00432C05

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Find_sprintf$File$CloseFirstNext_malloc_memset
String ID: %s%s$%s*.*$%s\%s$%s\*.*$Thumbs.db
API String ID: 2960731578-3874354321
Opcode ID: 0cd981659d42de7633e6f65a834dd90e3a37ad991e9f30d40366aff3609383e4
Instruction ID: 3d648919711d8a08d2df85156353924a471dffa26b588fce311c2bbde2f551ee
Opcode Fuzzy Hash: 0cd981659d42de7633e6f65a834dd90e3a37ad991e9f30d40366aff3609383e4
Instruction Fuzzy Hash: 0FA159715083415FC321DF248D95AAB7BE5AF9E304F08694EF8818B382E7B9D908C799

Function 00433470 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0045D7D6: _malloc.LIBCMT ref: 0045D7F4

_memset.LIBCMT ref: 004334D6
_sprintf.LIBCMT ref: 00433504
FindFirstFileA.KERNEL32(00000000,00000000), ref: 0043350E
_sprintf.LIBCMT ref: 004335EB
_sprintf.LIBCMT ref: 0043362E

Part of subcall function 00433470: FindNextFileA.KERNEL32(?,?), ref: 004336F2
Part of subcall function 00433470: FindClose.KERNEL32(?), ref: 00433709

_memset.LIBCMT ref: 0043366B

Part of subcall function 0040A8D0: GetFileSizeEx.KERNEL32(00000000,?), ref: 0040A90C
Part of subcall function 0040A8D0: CloseHandle.KERNEL32(00000000), ref: 0040A923

Strings

%s\*.*, xrefs: 004334FE
%s%s, xrefs: 004335D9, 00433612
%s*.*, xrefs: 004334F7
%s\%s, xrefs: 004335E5, 00433621

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileFind_sprintf$Close_memset$FirstHandleNextSize_malloc
String ID: %s%s$%s*.*$%s\%s$%s\*.*
API String ID: 810373389-4043038045
Opcode ID: ae1de87175806f048a9e75d4dc37834348e3d3dd26679ec360ff12913346e7e9
Instruction ID: 2d6ec9ca32da637d3620e7acc81cf86cb9f0d578824b4d325f52bebf47412a73
Opcode Fuzzy Hash: ae1de87175806f048a9e75d4dc37834348e3d3dd26679ec360ff12913346e7e9
Instruction Fuzzy Hash: 798128B15083416FC721DF24CC45BAB7BD5AF9D315F08551EF8858B382D639DA08C79A

Function 00434450 Relevance: 15.3, APIs: 10, Instructions: 296networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 004ADC85: __waccess_s.LIBCMT ref: 004ADC90

CreateDirectoryW.KERNEL32(?,00000000), ref: 004345E3
socket.WS2_32(00000002,00000001,00000000), ref: 00434683
setsockopt.WS2_32(00000000,0000FFFF,00000004,?,00000004), ref: 004346BC
closesocket.WS2_32(?), ref: 004346CA
setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 00434700
htons.WS2_32(?), ref: 00434728
bind.WS2_32(?,?,00000010), ref: 00434741
closesocket.WS2_32(?), ref: 00434753
listen.WS2_32(?,7FFFFFFF), ref: 0043477B
closesocket.WS2_32(?), ref: 0043478D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: closesocket$setsockopt$CreateDirectory__waccess_s_memcpy_sbindhtonslistensocket
String ID:
API String ID: 607810117-0
Opcode ID: 417e78a7120259d5b06c5c42757a0e8c9fc73a883f9253fc8a249bdb317e7ea3
Instruction ID: c04fe8b7a19c49825b31a207f00d0c5a8739115f0ac7f00abe8e0f205f6cc5fb
Opcode Fuzzy Hash: 417e78a7120259d5b06c5c42757a0e8c9fc73a883f9253fc8a249bdb317e7ea3
Instruction Fuzzy Hash: BEB179716046019FD300DF39C845B9BB7E4BF99324F504A2EF5AA972E1DB34A9048B96

Function 00479646 Relevance: 10.6, APIs: 7, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,00479916,?,00000000,?,00000000,00000104,00000000,9F5E49E1,?,?), ref: 0047968E

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 004796FE
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00479725
CharUpperW.USER32(00000000), ref: 00479758
FindFirstFileW.KERNEL32(?,?), ref: 00479774
FindClose.KERNEL32(00000000), ref: 00479780
lstrlenW.KERNEL32(?), ref: 0047979E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3760758452-0
Opcode ID: 100ae2e8558b266560e260679b709574e041e59130ee99417d112ccba884f3e7
Instruction ID: aac2ff2f8603933c14ab26637a5f118485c85079a5bab577ba84edad9be1004a
Opcode Fuzzy Hash: 100ae2e8558b266560e260679b709574e041e59130ee99417d112ccba884f3e7
Instruction Fuzzy Hash: 1F419E719041199BDF28AF61CC8DBFE7779AF10318F14829AE80DA1191EB398E84CF14

Function 0043F450 Relevance: 10.5, APIs: 7, Instructions: 48clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0043F45F
EmptyClipboard.USER32 ref: 0043F469
GlobalAlloc.KERNEL32(00002002,?), ref: 0043F494
GlobalLock.KERNEL32(00000000), ref: 0043F4A1
GlobalUnlock.KERNEL32(00000000), ref: 0043F4B1
SetClipboardData.USER32(00000001,00000000), ref: 0043F4BA
CloseClipboard.USER32 ref: 0043F4C2

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
String ID:
API String ID: 1677084743-0
Opcode ID: ff279ee44a385a9f3cdf26084893ee51b4b1731ea9463e1d270aaa16b791d06e
Instruction ID: b7f251f61e6efd5956d9fc66e0a129e0af625e8ec416835de6d4e17ce087143e
Opcode Fuzzy Hash: ff279ee44a385a9f3cdf26084893ee51b4b1731ea9463e1d270aaa16b791d06e
Instruction Fuzzy Hash: 0C018F76600212AFD7146B689C8C9AB77ACEF7D301F08912AF90AD7221DB75D80D9B64

Function 0043CE80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?), ref: 0043CEAB
OpenProcessToken.ADVAPI32(00000000), ref: 0043CEB2
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0043CEC8
AdjustTokenPrivileges.ADVAPI32 ref: 0043CEF0

Strings

SeShutdownPrivilege, xrefs: 0043CEC1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 2349140579-3733053543
Opcode ID: 37cb4a69fb1fd5f4e13e853fff0b6d1559e18d3b77c9fa42d84f8fe4f5f05299
Instruction ID: 9d6df847628fb659687521252fc637b45c1481f24ea1e3cf37e6fd3465bfe138
Opcode Fuzzy Hash: 37cb4a69fb1fd5f4e13e853fff0b6d1559e18d3b77c9fa42d84f8fe4f5f05299
Instruction Fuzzy Hash: B0018175244300ABE300DF94CD4EFAF77A8BB84B04F44480DF64985191DBB8954CDB67

Function 0043C0C0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 0043C0D7
AdjustTokenPrivileges.ADVAPI32 ref: 0043C128
GetLastError.KERNEL32 ref: 0043C130

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 4244140340-0
Opcode ID: 847f922c50b648c306d4afa34be08f53475f7803cfae82391b783611b14bcc52
Instruction ID: 8c6c5ee795d400e3ab627c176fade2b1638cc7a789316cf0d8858beabac7f101
Opcode Fuzzy Hash: 847f922c50b648c306d4afa34be08f53475f7803cfae82391b783611b14bcc52
Instruction Fuzzy Hash: 00213A72208301AFE314CF55DC84FABB7E8EBD8714F10891EF58496280D3B5E949DBA6

Function 004AB071 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004B6EED
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004B6F02
UnhandledExceptionFilter.KERNEL32(0051B890), ref: 004B6F0D
GetCurrentProcess.KERNEL32(C0000409), ref: 004B6F29
TerminateProcess.KERNEL32(00000000), ref: 004B6F30

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f494919ddc364954b4e91e6eda76347cca68289c54e1f6e94fcb61e2f394548b
Instruction ID: 7d85a014763355e419cd30daebef6ee9dc9f593d609be7b155f2d1c0b43eb5be
Opcode Fuzzy Hash: f494919ddc364954b4e91e6eda76347cca68289c54e1f6e94fcb61e2f394548b
Instruction Fuzzy Hash: EA210CB8800209DFE710DF69FC4A648BBB2FB18310F40701AE60A87278EFB448819F95

Function 004E6FD0 Relevance: 6.5, APIs: 4, Instructions: 496COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004E7157

Part of subcall function 004AE95D: __lock.LIBCMT ref: 004AE97B
Part of subcall function 004AE95D: ___sbh_find_block.LIBCMT ref: 004AE986
Part of subcall function 004AE95D: ___sbh_free_block.LIBCMT ref: 004AE995
Part of subcall function 004AE95D: RtlFreeHeap.NTDLL(00000000,?,0062FB48,0000000C,004B698F,00000000,?,004C4667,?,00000001,?,?,004C1C41,00000018,00630278,0000000C), ref: 004AE9C5
Part of subcall function 004AE95D: GetLastError.KERNEL32(?,004C4667,?,00000001,?,?,004C1C41,00000018,00630278,0000000C,004C1CD2,?,?,?,004B6A49,0000000D), ref: 004AE9D6

_malloc.LIBCMT ref: 004E71DB

Part of subcall function 004AE893: __FF_MSGBANNER.LIBCMT ref: 004AE8B6
Part of subcall function 004AE893: __NMSG_WRITE.LIBCMT ref: 004AE8BD
Part of subcall function 004AE893: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 004AE90A

_malloc.LIBCMT ref: 004E721E
_calloc.LIBCMT ref: 004E72AC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _malloc$Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock_calloc
String ID:
API String ID: 753877093-0
Opcode ID: 34e1aba1b3db5a21a098a26aa34a64370a0276a6948ad6cf7a933f5000184fa7
Instruction ID: c7d2b67bc8dec9a5a32b0849678e63a095abcda6bcdb79f95b5f88021561d046
Opcode Fuzzy Hash: 34e1aba1b3db5a21a098a26aa34a64370a0276a6948ad6cf7a933f5000184fa7
Instruction Fuzzy Hash: A102E771B04A059BDB18CF6AC88166EB7F2FF88324B14C63DE55AC7741DA38E942CB44

Function 0043A870 Relevance: 6.1, APIs: 4, Instructions: 63comCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00509080,00000002), ref: 0043A87E
CoInitialize.OLE32(00000000), ref: 0043A886
CoCreateInstance.COMBASE ref: 0043A8A6
CoUninitialize.COMBASE ref: 0043A91A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateInfoInitializeInstanceParametersSystemUninitialize
String ID:
API String ID: 1309764610-0
Opcode ID: 1c8bb73a3f4a9664ecdd848fa476656e0c01ae42394caecc846bd92b8a878cd3
Instruction ID: fe9f939e0e7cb178df5fcc1fa29ff3e04afbc904df48146acfb3ec0ab1faff13
Opcode Fuzzy Hash: 1c8bb73a3f4a9664ecdd848fa476656e0c01ae42394caecc846bd92b8a878cd3
Instruction Fuzzy Hash: 84112974244301AFE710EF58CC89F5A77B4AF88704F008948F289DB2E1D7B5E95ACB52

Function 0043A930 Relevance: 6.1, APIs: 4, Instructions: 63comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0043A935
CoCreateInstance.COMBASE ref: 0043A955
CoUninitialize.COMBASE ref: 0043A9C9
SystemParametersInfoW.USER32(00000014,00000000,00000000,00000002), ref: 0043A9D7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateInfoInitializeInstanceParametersSystemUninitialize
String ID:
API String ID: 1309764610-0
Opcode ID: ad7335c2c2041b45bf7e3ab1351900ebc14d0d07cab114d78773907bdcc1e18e
Instruction ID: 69235f46864376e09423224d7036ff8d8c7ae270747c4599e9253a24c1d6ea63
Opcode Fuzzy Hash: ad7335c2c2041b45bf7e3ab1351900ebc14d0d07cab114d78773907bdcc1e18e
Instruction Fuzzy Hash: AE114974244301AFE710EF58CC89F6A77B8AF88704F108948F289DB2E1D7B6E855CB56

Function 0045E632 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(00000002,00000000), ref: 0045E649

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FromMonitorWindow
String ID:
API String ID: 721739931-0
Opcode ID: cd3ff949d7387c75df8e8c25115b7529d92db30919420555b5c045ddcaee5d5e
Instruction ID: a6fb75563b344a066e918e6123e79e7852e5caf8e161dce292a93bf9e5ddcd16
Opcode Fuzzy Hash: cd3ff949d7387c75df8e8c25115b7529d92db30919420555b5c045ddcaee5d5e
Instruction Fuzzy Hash: 78F08631100208ABCF095F62CD089AE3FA9AF203C6F848017FD19D5122DB39CB5DEB59

Function 0043E1B0 Relevance: 1.5, APIs: 1, Instructions: 4windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0043E1B4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 65760f6c3c7f48b304743aba415f4cea020c194497bdc9cae940e1f99e76e002
Instruction ID: f9ab621fac2720c3b473982eb20b4d2188f4efaddd4b9867012c44ab8a3e461d
Opcode Fuzzy Hash: 65760f6c3c7f48b304743aba415f4cea020c194497bdc9cae940e1f99e76e002
Instruction Fuzzy Hash: 20A002B59002009BCF00EBA4D94CC2937A8BF583067284588B14DCB011C735D416DB10

Function 004488C0 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 252sleepwindowCOMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 00448912
_sprintf.LIBCMT ref: 0044897C
_sprintf.LIBCMT ref: 004489B9
_sprintf.LIBCMT ref: 004489F3

Part of subcall function 004ABC43: __output_l.LIBCMT ref: 004ABC98

_memset.LIBCMT ref: 00448A0B
GetSystemMetrics.USER32(00000043), ref: 00448A62
IsUserAnAdmin.SHELL32 ref: 00448A6A
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00448A97
_sprintf.LIBCMT ref: 00448ABC
ShellExecuteA.SHELL32(?,Open,?,00000000,?,00000001), ref: 00448AE3
Sleep.KERNEL32(000001F4), ref: 00448AEE
_sprintf.LIBCMT ref: 00448B11
OutputDebugStringA.KERNEL32(?), ref: 00448B21
Sleep.KERNEL32(00000064), ref: 00448B29
OutputDebugStringW.KERNEL32(HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 1), ref: 00448B40

Part of subcall function 00445E70: GetSystemDefaultLangID.KERNEL32 ref: 00445F14
Part of subcall function 00445E70: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00445FC9

OutputDebugStringW.KERNEL32(HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 2), ref: 00448B8F
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00448BE2

Strings

%s\Seetrol_Clt.exe, xrefs: 0044890C, 00448AB6
HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 1, xrefs: 00448B3B
-%s %s %d %d %d&%d, xrefs: 004489B3, 004489ED
HHHHHHHHHH Seetrol_Clt.exe ....... executed......%s, IP=%s, ID=%s, relay port = %d, xrefs: 00448B0C
127.0.0.1, xrefs: 00448B46
%s&, xrefs: 00448976
HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 2, xrefs: 00448B8A
Open, xrefs: 00448ADD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$DebugMessageOutputSendString$SleepSystem$AdminDefaultExecuteLangMetricsShellUser__output_l_memset
String ID: %s&$%s\Seetrol_Clt.exe$-%s %s %d %d %d&%d$127.0.0.1$HHHHHHHHHH Seetrol_Clt.exe ....... executed......%s, IP=%s, ID=%s, relay port = %d$HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 1$HHHHHHHHHHHHHHHhh ExecuteSeetrol_Clt m_nRemoteConnectMode = 2$Open
API String ID: 3243847767-1239366993
Opcode ID: d56c3781ae79d78ddccc52583c43bfe0329084bf208e5ade4a51590947cba820
Instruction ID: b212782cdc2834cbcf3cf37f955da34be5f64f20ef20b7bcf850ccfe146e2458
Opcode Fuzzy Hash: d56c3781ae79d78ddccc52583c43bfe0329084bf208e5ade4a51590947cba820
Instruction Fuzzy Hash: 52A1C1B1244705ABD324DB61C889FEBB7E5FF98700F00891EF59A57281DB74A504CB66

Function 0043D500 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163keyboardCOMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32(000003B5,?), ref: 0043D55A
OutputDebugStringW.KERNEL32(HANGUL..............), ref: 0043D56D
__itow.LIBCMT ref: 0043D59C
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D5AC
keybd_event.USER32(00000012,00000000), ref: 0043D5B1
MapVirtualKeyW.USER32(?,00000000), ref: 0043D5E4
keybd_event.USER32(?,00000000), ref: 0043D5F4
MapVirtualKeyW.USER32(?,00000000), ref: 0043D609
keybd_event.USER32(?,00000000), ref: 0043D619
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D63E
keybd_event.USER32(00000012,00000000), ref: 0043D643

Strings

ENGLISH.............., xrefs: 0043D64C
HANGUL.............., xrefs: 0043D568

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Virtualkeybd_event$ByteDebugLeadOutputString__itow
String ID: ENGLISH..............$HANGUL..............
API String ID: 1825388314-896187111
Opcode ID: 32d82104ab278263ba6b4f11f8e932cbc550867a9aea2fa983ecf4531da0c5dd
Instruction ID: c91a07affe5f9e97b4a1313dc31c1d7290a754b1194013478b8a79c47c4b8fac
Opcode Fuzzy Hash: 32d82104ab278263ba6b4f11f8e932cbc550867a9aea2fa983ecf4531da0c5dd
Instruction Fuzzy Hash: 9C514B711443656EE2206B759C9AFBFB7E8EF84701F00881AF9C1DA1C1EABCE504DB64

Function 0042E6C0 Relevance: 36.3, APIs: 24, Instructions: 271sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

LoadCursorW.USER32(?,000000CC), ref: 0042E721
SetCursor.USER32(00000000), ref: 0042E72A
SetClassLongW.USER32(?,000000F4,00000000), ref: 0042E737
GetSystemMetrics.USER32(0000004E), ref: 0042E783
GetSystemMetrics.USER32(0000004F), ref: 0042E78D
73A0A570.USER32(?), ref: 0042E7B5
73A0A570.USER32(00000000), ref: 0042E7BE
SelectObject.GDI32(?,00000000), ref: 0042E806
SelectObject.GDI32(?,00000000), ref: 0042E83C
SelectObject.GDI32(?,00000000), ref: 0042E872
GetStockObject.GDI32(00000000), ref: 0042E876
FillRect.USER32(?,?,00000000), ref: 0042E889

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

SelectObject.GDI32(?,00000000), ref: 0042E8C3
GetStockObject.GDI32(00000004), ref: 0042E8CD
FillRect.USER32(?,?,00000000), ref: 0042E8E2
GetStockObject.GDI32(00000004), ref: 0042E8E6
FillRect.USER32(?,?,00000000), ref: 0042E8F5
GetStockObject.GDI32(00000004), ref: 0042E8F9
FillRect.USER32(?,?,00000000), ref: 0042E908
SetWindowPos.USER32(?,000000FF,00000000,00000000,?,?,00000400), ref: 0042E950
ShowWindow.USER32(?,00000005), ref: 0042E95C
Sleep.KERNEL32(0000001E), ref: 0042E964
73A0A570.USER32(?), ref: 0042E96E
UpdateWindow.USER32(?), ref: 0042E9D9

Part of subcall function 0042DC50: GetModuleHandleW.KERNEL32(USER32.DLL), ref: 0042DC58
Part of subcall function 0042DC50: GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0042DC64

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$FillRectSelectStockWindow$A570$CursorMetricsShowSystem$AddressClassHandleLoadLongModuleProcSleepUpdate_memcpy_s
String ID:
API String ID: 2783743240-0
Opcode ID: 873675a99a6d955d7d9f7c9851688023c2f040ce999b9cb3ef152fdb61d66227
Instruction ID: fd28eaefabb62833fa47a8bc50257edce852bb44e3f5d8d5667c82294706996a
Opcode Fuzzy Hash: 873675a99a6d955d7d9f7c9851688023c2f040ce999b9cb3ef152fdb61d66227
Instruction Fuzzy Hash: 6CA10BB1600700AFD354DF75CC85F6BB7E9FB88710F108A1EF69A97290DA74B8058B65

Function 0042D6C0 Relevance: 34.8, APIs: 23, Instructions: 328windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042D706
LoadCursorW.USER32(?,000000CB), ref: 0042D72D
SetCursor.USER32(00000000), ref: 0042D77B
SetClassLongW.USER32(?,000000F4,00000000), ref: 0042D788
CreatePopupMenu.USER32 ref: 0042D7D0
AppendMenuW.USER32(00000000,00000000,00002BDF,00000010), ref: 0042D808
AppendMenuW.USER32(00000000,00000000,00002BE0,00000010), ref: 0042D834
AppendMenuW.USER32(00000000,00000000,00002BE1,00000010), ref: 0042D860
AppendMenuW.USER32(00000000,00000000,00002BE2,00000010), ref: 0042D88C
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042D898
AppendMenuW.USER32(00000000,00000000,00002BE3,00000010), ref: 0042D8C4
AppendMenuW.USER32(00000000,00000000,00002BE4,00000010), ref: 0042D8F0
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042D8FC
AppendMenuW.USER32(00000000,00000000,00002BE9,00000010), ref: 0042D928
AppendMenuW.USER32(00000000,00000000,00002BE5,00000010), ref: 0042D954
AppendMenuW.USER32(00000000,00000000,00002BE6,00000010), ref: 0042D980
AppendMenuW.USER32(00000000,00000000,00002BE7,00000010), ref: 0042D9AC
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042D9B8
CheckMenuItem.USER32(00000000,00002BE3,00000008), ref: 0042DA0A
CheckMenuItem.USER32(00000000,00002BE9,00000008), ref: 0042DA1D

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

CheckMenuItem.USER32(00000000,00002BE7,00000008), ref: 0042DA4E
TrackPopupMenu.USER32(00000000,00000000,?,?,00000000,?,00000000), ref: 0042DA65

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$CheckCursorItem$LoadPopup$ClassCreateFindLongResourceTrack
String ID:
API String ID: 4082964069-0
Opcode ID: 28f9ac8886ce6ddcff699cfbf59059724cb208ad4001e93fbc48ada6d8562726
Instruction ID: 0b8dc11dd53e4d47c88d1b3d280f46f12606b95a4b21b351422c218975c5273a
Opcode Fuzzy Hash: 28f9ac8886ce6ddcff699cfbf59059724cb208ad4001e93fbc48ada6d8562726
Instruction Fuzzy Hash: 43A1C4707843517BE720FF21DC46F6F7398AF94B54F10451AFA41AA1D1DB68E8048BAB

Function 00414EA0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000003), ref: 00414F85
SendMessageW.USER32(?,00000143,00000000,?), ref: 00414FE3
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00414FFB
SendMessageW.USER32(?,00000030,?,00000001), ref: 0041501A
SendMessageW.USER32(?,00000153,000000FF,?), ref: 0041502D
SendMessageW.USER32(?,00000160,00000000,00000000), ref: 00415042

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

SendMessageW.USER32(?,0000015E,00000000,00000000), ref: 00415051
IsWindow.USER32(?), ref: 00415057
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 00415073
SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 00415095
SendMessageW.USER32(?,000000B1,?,000000FF), ref: 00415100
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0041510F

Part of subcall function 004677E5: IsWindow.USER32(?), ref: 004677F9

SendMessageW.USER32(?,000000B1,?,000000FF), ref: 0041513B
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00415159
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 00415168
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 00415188
SendMessageW.USER32(?,00000102,?,00000000), ref: 00415196

Strings

jF, xrefs: 00414EDE

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$Window$Exception@8MetricsSystemThrow_memcpy_s
String ID: jF
API String ID: 1754812080-3835491092
Opcode ID: 226f8ed70b847ae7a9f746d2977cecb2a4bbe5f1a038936a68067f6826aca08c
Instruction ID: 343cf891f754623a47d1320c531a0ee91685bbdc6e0c4d8e236beb0e1cbc123e
Opcode Fuzzy Hash: 226f8ed70b847ae7a9f746d2977cecb2a4bbe5f1a038936a68067f6826aca08c
Instruction Fuzzy Hash: 70A18C70244B00ABD720DB68CC81FABB7E9AF88714F104A1EF6999B2D0D7B4E9408B55

Function 0042EA30 Relevance: 33.3, APIs: 22, Instructions: 329windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042EA83
LoadCursorW.USER32(?,000000CB), ref: 0042EAAA
SetCursor.USER32(00000000), ref: 0042EAF3
SetClassLongW.USER32(9F5E49E1,000000F4,00000000), ref: 0042EB00
CreatePopupMenu.USER32 ref: 0042EB48
AppendMenuW.USER32(00000000,00000000,00002BDF,00000010), ref: 0042EB80
AppendMenuW.USER32(00000000,00000000,00002BE0,00000010), ref: 0042EBAC
AppendMenuW.USER32(00000000,00000000,00002BE1,00000010), ref: 0042EBD8
AppendMenuW.USER32(00000000,00000000,00002BE2,00000010), ref: 0042EC04
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042EC10
AppendMenuW.USER32(00000000,00000000,00002BE3,00000010), ref: 0042EC3C
AppendMenuW.USER32(00000000,00000000,00002BE4,00000010), ref: 0042EC68
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042EC74
AppendMenuW.USER32(00000000,00000000,00002BE9,00000010), ref: 0042ECA0
AppendMenuW.USER32(00000000,00000000,00002BE5,00000010), ref: 0042ECCC
AppendMenuW.USER32(00000000,00000000,00002BE6,00000010), ref: 0042ECF8
AppendMenuW.USER32(00000000,00000000,00002BE7,00000010), ref: 0042ED24
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0042ED30
CheckMenuItem.USER32(00000000,00002BE3,00000008), ref: 0042ED82
CheckMenuItem.USER32(00000000,00002BE9,00000008), ref: 0042ED95

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

CheckMenuItem.USER32(00000000,00002BE7,00000008), ref: 0042EDC6
TrackPopupMenu.USER32(00000000,00000000,?,?,00000000,9F5E49E1,00000000), ref: 0042EDDD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$CheckCursorItem$LoadPopup$ClassCreateFindLongResourceTrack
String ID:
API String ID: 4082964069-0
Opcode ID: 87b68112dea9e5cf06d1d3b2b3a33c5adc4e0646b7ab440b6e55d790580baaf1
Instruction ID: 3c76dcbf20c2593bd486547eec0c9faedf9b799159b364a2cfb2b46af12dc6c2
Opcode Fuzzy Hash: 87b68112dea9e5cf06d1d3b2b3a33c5adc4e0646b7ab440b6e55d790580baaf1
Instruction Fuzzy Hash: 79A1D5303843117BE720EF22DC46F6F7798AF94B54F10451AF641AA2D1DBA8E90587AB

Function 0042D350 Relevance: 30.3, APIs: 20, Instructions: 266sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

LoadCursorW.USER32(?,000000CC), ref: 0042D39E
SetCursor.USER32(00000000), ref: 0042D3A7
SetClassLongW.USER32(?,000000F4,00000000), ref: 0042D3B4
GetSystemMetrics.USER32(0000004E), ref: 0042D400
GetSystemMetrics.USER32(0000004F), ref: 0042D40A
73A0A570.USER32(?), ref: 0042D41C
73A0A570.USER32(00000000), ref: 0042D425
SelectObject.GDI32(?,00000000), ref: 0042D46D
SelectObject.GDI32(?,00000000), ref: 0042D4A3
SelectObject.GDI32(?,00000000), ref: 0042D4F7
GetStockObject.GDI32(00000000), ref: 0042D4FB
FillRect.USER32(?,?,00000000), ref: 0042D50E

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

SelectObject.GDI32(?,00000000), ref: 0042D548
GetStockObject.GDI32(00000004), ref: 0042D54C
FillRect.USER32(?,?,00000000), ref: 0042D55F

Part of subcall function 0042CA20: DeleteObject.GDI32(?), ref: 0042CA36
Part of subcall function 0042CA20: DeleteObject.GDI32(?), ref: 0042CA4D
Part of subcall function 0042CA20: CreatePen.GDI32(00000000,?,00FFFFFF), ref: 0042CAC4
Part of subcall function 0042CA20: SelectObject.GDI32(?,00000000), ref: 0042CAE0
Part of subcall function 0042CA20: CreatePen.GDI32(00000000,?,00FFFFFF), ref: 0042CB0F
Part of subcall function 0042CA20: SelectObject.GDI32(?,00000000), ref: 0042CB1F

SetWindowPos.USER32(?,000000FF,00000000,00000000,?,?,00000400), ref: 0042D5E5
ShowWindow.USER32(?,00000005), ref: 0042D5F1
Sleep.KERNEL32(0000001E), ref: 0042D5F9
73A0A570.USER32(?), ref: 0042D603
UpdateWindow.USER32(?), ref: 0042D668

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$Select$Window$A570$CreateCursorDeleteFillMetricsRectShowStockSystem$ClassLoadLongSleepUpdate_memcpy_s
String ID:
API String ID: 4212544311-0
Opcode ID: d28451506382d39f58ef8516137ef0dfc000f67671821453845e0b04885a401e
Instruction ID: a25ae7d315f374ec2133c91c756bd1c95f5a9edc401d7f9f4fee71978a5bfb58
Opcode Fuzzy Hash: d28451506382d39f58ef8516137ef0dfc000f67671821453845e0b04885a401e
Instruction Fuzzy Hash: AFA1E7B5600700AFE364DB78CC85F6BB7E9FB98710F104A1DF6AA97291D674B800CB65

Function 00444010 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00444048
ScreenToClient.USER32(?,9F5E49E1), ref: 00444069
CreatePopupMenu.USER32 ref: 00444088
AppendMenuW.USER32(00000000,00000000,0000573F,00000000), ref: 00444102
AppendMenuW.USER32(00000000,00000000,00005740,00000000), ref: 0044412E
AppendMenuW.USER32(00000000,00000000,00005742,00000000), ref: 0044415A
AppendMenuW.USER32(00000000,00000000,00005745,00000000), ref: 00444228
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00444234
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00444246
AppendMenuW.USER32(00000000,00000000,00005746,00000000), ref: 004442A7
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 004442B3
AppendMenuW.USER32(00000000,00000000,00005747,00000000), ref: 004442DF
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 004442EB
AppendMenuW.USER32(00000000,00000000,00005743,00000000), ref: 00444317
TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0044432E
DestroyMenu.USER32(00000000), ref: 00444335

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

Strings

&, xrefs: 0044407D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$ClientPopupScreen$CreateDestroyFindMessageResourceSendTrack
String ID: &
API String ID: 4294952625-1010288
Opcode ID: d6d2293ef665cee787533bbd2f40e395f3bb7b6dae9aca34079b1899cfcc0cff
Instruction ID: 6d2ed5aeacc9306a955994b3f03df2ed1c9cc85533df8009290135bfe5cbd59d
Opcode Fuzzy Hash: d6d2293ef665cee787533bbd2f40e395f3bb7b6dae9aca34079b1899cfcc0cff
Instruction Fuzzy Hash: 6591E370244341AFE310EB24CC46F6B77A8BFC5718F10861DF545AA2D2DB78E905CBAA

Function 00442540 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 256COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004425DC

Strings

Open, xrefs: 00442846
DemoForge Mirage Driver, xrefs: 0044275B
HHHHHH 222222Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - NOT installed. ! , xrefs: 00442834
HHHHHH 22222Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - Already installed. ! , xrefs: 00442816
HHHHHH Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - NOT installed. ! , xrefs: 004427BF
MIRAGE, xrefs: 0044266D
dfmirage, xrefs: 004427C6
Install.cmd, xrefs: 00442841
HHHHHH Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - Already installed. ! , xrefs: 00442797
Mirage Driver, xrefs: 00442747, 004427DA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset
String ID: DemoForge Mirage Driver$HHHHHH 222222Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - NOT installed. ! $HHHHHH 22222Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - Already installed. ! $HHHHHH Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - Already installed. ! $HHHHHH Seetrol Client : InstallMirageDriver2 : LookupVideoDeviceAlt - NOT installed. ! $Install.cmd$MIRAGE$Mirage Driver$Open$dfmirage
API String ID: 2102423945-4064026258
Opcode ID: 4d9e1e50c74e66439cbed8344b2f12c94be3c283102dddbb5be591237fb23136
Instruction ID: 0a8cd83e58a4c916a47e301e8fda25f82b2cc3ed673d6d70c6b96974ae646008
Opcode Fuzzy Hash: 4d9e1e50c74e66439cbed8344b2f12c94be3c283102dddbb5be591237fb23136
Instruction Fuzzy Hash: 1581D572204301ABD325DB64CC46F9FB7EDFF98704F404A1EF54A961C1EAB4A604CB96

Function 0045E431 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75A84A40,0045E63F,?,?,?,?,?,?,?,00461066,00000000,00000002,00000028), ref: 0045E45C
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0045E478
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045E48D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0045E49E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0045E4AF
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0045E4C0
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 0045E4D1
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045E4F1

Strings

MonitorFromWindow, xrefs: 0045E487
GetSystemMetrics, xrefs: 0045E472
MonitorFromRect, xrefs: 0045E498
USER32, xrefs: 0045E452
MonitorFromPoint, xrefs: 0045E4A9
GetMonitorInfoA, xrefs: 0045E4EB
GetMonitorInfoW, xrefs: 0045E4E4
EnumDisplayDevicesW, xrefs: 0045E4CB
EnumDisplayMonitors, xrefs: 0045E4BA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: f49668b83791811f813aeffd8dc78789786688347f272aa421b7546415673f67
Instruction ID: 6f29c2adf917d822ea7264e1f37fdcce08132001ea0e2fb6c7242949d24a85c5
Opcode Fuzzy Hash: f49668b83791811f813aeffd8dc78789786688347f272aa421b7546415673f67
Instruction Fuzzy Hash: 7121B3B1A04215ABC710DFF66CC9C6A3EE6B249706314343FE951D2210FB7845C8AFCA

Function 00446850 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 430sleeptimewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3D8F: __waccess_s.LIBCMT ref: 004F3D9A

_sprintf.LIBCMT ref: 004469E1
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004469F9
Sleep.KERNEL32(0000001E,?,?,00000000), ref: 00446A10
_sprintf.LIBCMT ref: 00446A6E
ShellExecuteA.SHELL32(?,Open,?,?,00000000,00000001), ref: 00446A93
Sleep.KERNEL32(0000001E,?,00000024,00000000), ref: 00446CD8
_sprintf.LIBCMT ref: 00446D0A
ShellExecuteA.SHELL32(00000000,Open,?,?,00000000,00000001), ref: 00446D2D
KillTimer.USER32(?,0000046B), ref: 00446D42
KillTimer.USER32(?,0000046C), ref: 00446D4D

Strings

%s %d %d %d 1, xrefs: 00446A68, 00446D04
%s\STUpdate.exe, xrefs: 004469DB
STUpdate.exe, xrefs: 0044688D
.seetrol.com, xrefs: 00446968
%1.2f, xrefs: 00446C3D
Open, xrefs: 00446A8D, 00446D26

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$ExecuteKillShellSleepTimer$MessageSend__waccess_s
String ID: %1.2f$%s %d %d %d 1$%s\STUpdate.exe$.seetrol.com$Open$STUpdate.exe
API String ID: 3704806930-3105910771
Opcode ID: a04ba99d86fb500ac997296883ffd6b8cfdfe6962194a057c03c6e59f74f0287
Instruction ID: ddaf525510793463ffa97b57aa1c634083f2d1d7c0d2b27c0158a706d073d732
Opcode Fuzzy Hash: a04ba99d86fb500ac997296883ffd6b8cfdfe6962194a057c03c6e59f74f0287
Instruction Fuzzy Hash: 1FF1D2702043419FE314EB28C856FABB7E8BF95314F048A1DF5599B2D2DF74A904CBA6

Function 004347F0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 169networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(?), ref: 0043483C
closesocket.WS2_32(?), ref: 00434850
inet_addr.WS2_32(?), ref: 004348B0
inet_addr.WS2_32(?), ref: 004348D1
htons.WS2_32(?), ref: 004348EF
ioctlsocket.WS2_32(?,8004667E,?), ref: 0043491D
OutputDebugStringW.KERNEL32(ioctlsocket error. - 1), ref: 00434928
connect.WS2_32(?,?,00000010), ref: 00434939
select.WS2_32(00000000,00000000,?,?,?), ref: 00434999
__WSAFDIsSet.WS2_32(?,00000001), ref: 004349A5
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 004349C1
OutputDebugStringW.KERNEL32(ioctlsocket error. - 2), ref: 004349CC
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00434A00
OutputDebugStringW.KERNEL32(ioctlsocket error. - 2), ref: 00434A0B

Strings

ioctlsocket error. - 1, xrefs: 00434923
ioctlsocket error. - 2, xrefs: 004349C7, 00434A06

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DebugOutputStringioctlsocket$inet_addr$closesocketconnectgethostbynamehtonsselect
String ID: ioctlsocket error. - 1$ioctlsocket error. - 2
API String ID: 734838199-228890931
Opcode ID: 4abfcb7edfca1e10c29a36a9cf180cef7dcaa1945149d23bd4efd3ab7355b109
Instruction ID: 16d11c4064da887cfd05223f7ea35fbdf00b992dfae9d3430c9bee858d7992d5
Opcode Fuzzy Hash: 4abfcb7edfca1e10c29a36a9cf180cef7dcaa1945149d23bd4efd3ab7355b109
Instruction Fuzzy Hash: BB516C70205741AFD320EF68D848BABB7E4FFC8310F004A1EE459C7290EB74A905CB9A

Function 00444410 Relevance: 27.2, APIs: 18, Instructions: 232windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 0044446A
SetForegroundWindow.USER32(?), ref: 00444484
GetCursorPos.USER32(9F5E49E1), ref: 0044448F
CreatePopupMenu.USER32 ref: 00444495
AppendMenuW.USER32(00000000,00000000,0000573B,00000001), ref: 00444500
AppendMenuW.USER32(00000000,00000000,0000573F,00000001), ref: 0044451D
AppendMenuW.USER32(00000000,00000000,00005740,00000001), ref: 0044453A
AppendMenuW.USER32(00000000,00000000,00005742,00000001), ref: 00444557

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$Window$Foreground$CreateCursorPopupShow
String ID:
API String ID: 2360199667-0
Opcode ID: eff4ecb11819b2889938bef2c7db774f2eda696db479ff13d9c3a894588bc0ad
Instruction ID: f71184e6f48ade30d49a1ef0f8b113aae14c88ff17421f05853020eaff06d23a
Opcode Fuzzy Hash: eff4ecb11819b2889938bef2c7db774f2eda696db479ff13d9c3a894588bc0ad
Instruction Fuzzy Hash: 3381C670244304BFE310EB21CC86F5F77A8AF95B15F10462DF6456A1D2DB78EA05CB6A

Function 0044B680 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 241sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3D8F: __waccess_s.LIBCMT ref: 004F3D9A

GetWindowsDirectoryA.KERNEL32(?,000000FF,?,00000014,00000000,000000A5), ref: 0044B822
_sprintf.LIBCMT ref: 0044B83A
Sleep.KERNEL32(0000000A), ref: 0044B87C
Sleep.KERNEL32(00000064), ref: 0044B889
_sprintf.LIBCMT ref: 0044B8D4
Sleep.KERNEL32(0000001E,?,%s\STUpdate.exe,?), ref: 0044B8E5
_sprintf.LIBCMT ref: 0044B910
ShellExecuteA.SHELL32(?,Open,?,?,00000000,00000001), ref: 0044B934

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

Strings

kh.seetrol.com, xrefs: 0044B8FE
%s\Prefetch, xrefs: 0044B834
%s\STUpdate.exe, xrefs: 0044B8C6
STUpdate.exe, xrefs: 0044B6BE
SeetrolClient.exe, xrefs: 0044B85C
Open, xrefs: 0044B92E
%s %d %d %d 6, xrefs: 0044B90A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep_sprintf$DirectoryExecuteFindResourceShellWindows__waccess_s
String ID: %s %d %d %d 6$%s\Prefetch$%s\STUpdate.exe$Open$STUpdate.exe$SeetrolClient.exe$kh.seetrol.com
API String ID: 289328153-3826192657
Opcode ID: c19332b8f1b27fdab80e6d2ee528cf77309c2253800d1287127ac9262abe5af7
Instruction ID: a60a150ef50c3c6768bdec5fa4c12092bb15580bb92d684fa7dbdbd084d631ef
Opcode Fuzzy Hash: c19332b8f1b27fdab80e6d2ee528cf77309c2253800d1287127ac9262abe5af7
Instruction Fuzzy Hash: 6191C3B12047419FD314DB28C891FABB7E4FF99714F044A2EF1558B2D2DB74A904CB9A

Function 00424D90 Relevance: 25.8, APIs: 17, Instructions: 331timewindowCOMMON

Download Yara Rule

APIs

ClipCursor.USER32 ref: 00424DA9
GetCapture.USER32 ref: 00424DAF
ReleaseCapture.USER32 ref: 00424DC7
KillTimer.USER32(?,?), ref: 00424DD8
GetClientRect.USER32(?,?), ref: 00424EEC
73A0A570.USER32(?), ref: 00424F17
InvertRect.USER32(?,?), ref: 00424F32
InvalidateRect.USER32(?,00000000,00000001,?,?,00000000), ref: 00424FC0
GetClientRect.USER32(?,?), ref: 00424FDD
73A0A570.USER32(?), ref: 00425008
InvertRect.USER32(?,?), ref: 00425023
InvalidateRect.USER32(?,00000000,00000001,00000000,00000000,00000000), ref: 004250A8
LoadCursorW.USER32(00000000,00007F00), ref: 00425141
SetCursor.USER32(00000000), ref: 00425148
GetParent.USER32(?), ref: 0042516B
IsWindow.USER32(?), ref: 00425181
PostMessageW.USER32(?,00000111,?,?), ref: 004251A3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$Cursor$A570CaptureClientInvalidateInvert$ClipKillLoadMessageParentPostReleaseTimerWindow
String ID:
API String ID: 1713989008-0
Opcode ID: 14f7dae27c7583faa40073054780e5e0dcdf4f4b1b4076c32287e4c6bd9e85a0
Instruction ID: 083ec68b99b56b8f3e7c043125c734348e88465a2f59f0d4be0f049f3e6954f0
Opcode Fuzzy Hash: 14f7dae27c7583faa40073054780e5e0dcdf4f4b1b4076c32287e4c6bd9e85a0
Instruction Fuzzy Hash: 61C14A75304A11AFC714EB65D898E6BB3E9BFC8700F444A0EF59A87350DB38E845CB95

Function 0040A700 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 140filesynchronizationthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A740
GetWindowsDirectoryA.KERNEL32 ref: 0040A773
GetCurrentThreadId.KERNEL32 ref: 0040A779
_sprintf.LIBCMT ref: 0040A78A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A814
CloseHandle.KERNEL32(00000000), ref: 0040A825
CloseHandle.KERNEL32(?), ref: 0040A82C
CloseHandle.KERNEL32(00000000), ref: 0040A82F
GetFileSize.KERNEL32(00000000,00000000), ref: 0040A855
_memset.LIBCMT ref: 0040A871
ReadFile.KERNEL32 ref: 0040A88D
CloseHandle.KERNEL32(00000000), ref: 0040A89E

Strings

D, xrefs: 0040A7DA
cmd%ld_out.txt, xrefs: 0040A784

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseHandle$File_memset$CurrentDirectoryObjectReadSingleSizeThreadWaitWindows_sprintf
String ID: D$cmd%ld_out.txt
API String ID: 2928362385-3191579634
Opcode ID: 2282a66ec9514a9751bf62c8da3931ef68c7a68599ee873a7cf773a67ca66c6b
Instruction ID: 5d7d36149cb4556900522742c357bf25ce5870c7bdd8f2227985a905510dbea1
Opcode Fuzzy Hash: 2282a66ec9514a9751bf62c8da3931ef68c7a68599ee873a7cf773a67ca66c6b
Instruction Fuzzy Hash: 0E5130B1548300AFE320DB65DC49FABB7E8FFD8704F004A1DB68997291EB75A5048B66

Function 0042E1E0 Relevance: 24.1, APIs: 16, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000020), ref: 0042E208
DeleteObject.GDI32(?), ref: 0042E219
DeleteObject.GDI32(?), ref: 0042E22C
DeleteDC.GDI32(?), ref: 0042E23F
DeleteDC.GDI32(?), ref: 0042E252
DeleteObject.GDI32(?), ref: 0042E265
DeleteDC.GDI32(?), ref: 0042E278
DeleteObject.GDI32(?), ref: 0042E28B
DeleteDC.GDI32(?), ref: 0042E29E
DeleteObject.GDI32(?), ref: 0042E2B1
DeleteDC.GDI32(?), ref: 0042E2C4
DeleteObject.GDI32(?), ref: 0042E2D7
DeleteDC.GDI32(?), ref: 0042E2EA
Sleep.KERNEL32(0000001E), ref: 0042E2F4
LoadCursorW.USER32(?,00007F00), ref: 0042E30D
SetCursor.USER32(00000000), ref: 0042E314

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Delete$Object$Cursor$LoadSleepWindow
String ID:
API String ID: 2185312199-0
Opcode ID: 63ebd199dcf276875b0bed0fc33e69c5c94e27625b9e6b08775e5d682dba07c1
Instruction ID: dd01d53a4f9df0289f25834598d6f560f1bb804a95d7dc9d82ca4b68eac7aee8
Opcode Fuzzy Hash: 63ebd199dcf276875b0bed0fc33e69c5c94e27625b9e6b08775e5d682dba07c1
Instruction Fuzzy Hash: A4412F74700B10DBC6219B7A9C84FABF7E9BB85750F540D5AE5AAD3300CB34F8409B29

Function 0042CED0 Relevance: 24.1, APIs: 16, Instructions: 109sleepCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000020), ref: 0042CEEC
DeleteObject.GDI32(?), ref: 0042CF03
DeleteObject.GDI32(?), ref: 0042CF16
DeleteDC.GDI32(?), ref: 0042CF2F
DeleteDC.GDI32(?), ref: 0042CF42
DeleteObject.GDI32(?), ref: 0042CF55
DeleteDC.GDI32(?), ref: 0042CF68
DeleteObject.GDI32(?), ref: 0042CF7B
DeleteDC.GDI32(?), ref: 0042CF8E
DeleteObject.GDI32(?), ref: 0042CFA1
DeleteDC.GDI32(?), ref: 0042CFB4
DeleteObject.GDI32(?), ref: 0042CFC7
DeleteDC.GDI32(?), ref: 0042CFDA
Sleep.KERNEL32(0000001E), ref: 0042CFE4
LoadCursorW.USER32(?,00007F00), ref: 0042CFFD
SetCursor.USER32(00000000), ref: 0042D004

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Delete$Object$Cursor$LoadSleepWindow
String ID:
API String ID: 2185312199-0
Opcode ID: 45a20045e1751946e94a931afa504aa13ace11638c664065770a4f48d301189a
Instruction ID: 123443b210d29d1e0dd9d4fc2b3d2d282bf78b23886207d806d17c9828945eec
Opcode Fuzzy Hash: 45a20045e1751946e94a931afa504aa13ace11638c664065770a4f48d301189a
Instruction Fuzzy Hash: 82313D74B04B009BC6219B799D88B6BF7EABB85740F550D1AE5AAC3341CB35E8409B29

Function 00444BF0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 306windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 00444C81
SendMessageW.USER32(?,00000080,00000000,?), ref: 00444C94
LoadIconW.USER32(?,000000C0), ref: 00444FEF

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

Seetrol Client - Logon, xrefs: 00444D2F, 00444E11
- Logon, xrefs: 00444CE8, 00444DCA
Seetrol Client - Logoff, xrefs: 00444EFE, 00444FCE
- Logoff, xrefs: 00444EB7, 00444F99

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$IconLoad_memcpy_s
String ID: - Logoff$ - Logon$Seetrol Client - Logoff$Seetrol Client - Logon
API String ID: 244865960-3630949276
Opcode ID: 9ce6b29eeb69bd5df8812e7a4fda7798dca7463114b2205438a0cdfd611e7395
Instruction ID: 40b47ba604596f13e89f4e80f051eff82bcb26e1527ef952165fb0b97c104f8d
Opcode Fuzzy Hash: 9ce6b29eeb69bd5df8812e7a4fda7798dca7463114b2205438a0cdfd611e7395
Instruction Fuzzy Hash: C5B1E7751047019FD310EF61C881FABBBE8BF98748F00492EF596572D2DA78E548CB66

Function 00446640 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 152timesleepCOMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 0044668D
KillTimer.USER32(?,0000046B,9F5E49E1), ref: 004466D5
KillTimer.USER32(?,0000046E), ref: 004466E0
KillTimer.USER32(?,0000046C,9F5E49E1), ref: 004466F9
KillTimer.USER32(?,00000478,9F5E49E1), ref: 0044670A
KillTimer.USER32(?,00000474), ref: 00446715
KillTimer.USER32(?,00000473), ref: 00446720
closesocket.WS2_32(?), ref: 0044676F
Sleep.KERNEL32(0000001E), ref: 00446787
Sleep.KERNEL32(0000001E), ref: 004467E6
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 004467F4
_sprintf.LIBCMT ref: 0044680D

Strings

%s\Seetrol_Clt.exe, xrefs: 00446807

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: KillTimer$Sleep$CriticalDeleteDirectorySectionSystem_sprintfclosesocket
String ID: %s\Seetrol_Clt.exe
API String ID: 1364420751-1195594296
Opcode ID: e32b30492ed8970707b313c0ed176b79404c491e5176781d40013c5955cbbd23
Instruction ID: 1453fe173a419c647372b416b1e7861e897b7e7b8f75c551bd3b49d923b7cdc7
Opcode Fuzzy Hash: e32b30492ed8970707b313c0ed176b79404c491e5176781d40013c5955cbbd23
Instruction Fuzzy Hash: 2B51CEB5640B059FC720DFB5C885BABF3E4FF49704F104A2EE26A97281CB74A840CB55

Function 004324E0 Relevance: 22.8, APIs: 15, Instructions: 317COMMON

Download Yara Rule

APIs

Part of subcall function 00431BD0: SelectObject.GDI32(?,?), ref: 00431CD3
Part of subcall function 00431BD0: DeleteDC.GDI32(?), ref: 00431CDC
Part of subcall function 00431BD0: DeleteObject.GDI32(?), ref: 00431CE5

GlobalLock.KERNEL32(?), ref: 004324F8
GlobalUnlock.KERNEL32 ref: 00432610

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DeleteGlobalObject$LockSelectUnlock
String ID:
API String ID: 720557223-0
Opcode ID: 3a505acbbe0b3061cb818f16cc68e70cc230d1f8264163140bb0843d04b53177
Instruction ID: 2c9b939fb504ab335040e75cd98edaa574b3b357247c0a92177db6c355dc651a
Opcode Fuzzy Hash: 3a505acbbe0b3061cb818f16cc68e70cc230d1f8264163140bb0843d04b53177
Instruction Fuzzy Hash: BEB1C971204301AFE724DF65C988E6BB7E8FF98300F04891EF59A87261DB74E909CB25

Function 0044E1C0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 402sleepwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044E266

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

Part of subcall function 00403BF0: _memcpy_s.LIBCMT ref: 00403C7B

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0044E4C0
GetSystemMetrics.USER32(00000043), ref: 0044E577
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044E59C
Sleep.KERNEL32(0000000A,00000001), ref: 0044E5E8
Sleep.KERNEL32(0000000A), ref: 0044E623
Sleep.KERNEL32(0000001E,00000001), ref: 0044E630
Sleep.KERNEL32(0000000A), ref: 0044E63F
Sleep.KERNEL32(0000000A), ref: 0044E64E
Sleep.KERNEL32(0000001E), ref: 0044E652

Strings

.seetrol.com, xrefs: 0044E46D
_latestcon_.txt, xrefs: 0044E5FF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$MessageSend$_memcpy_s$FindMetricsResourceSystem
String ID: .seetrol.com$_latestcon_.txt
API String ID: 2140006250-404849943
Opcode ID: b8567081c156e2973dd20d71637d7229179275d60e5a7ea698bf0b58fdc09cf6
Instruction ID: 5c0c5212313fe51156f82cf736b15b6f8df561ee926b1475f261f1ccd064bf5b
Opcode Fuzzy Hash: b8567081c156e2973dd20d71637d7229179275d60e5a7ea698bf0b58fdc09cf6
Instruction Fuzzy Hash: 12E19F303407019FE324EB36CC56B5BB3A4AF95718F10462EF55A9B2D2DF78A904CB5A

Function 0040AC70 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 360comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040ACA9
CoCreateInstance.COMBASE(00635140,00000000,00000017,00635150,?), ref: 0040ACC1
CoTaskMemFree.COMBASE(?), ref: 0040AF6E
PropVariantClear.OLE32(?,?,75A85540), ref: 0040AF7D
CoTaskMemFree.COMBASE(?), ref: 0040AFF1

Part of subcall function 0040AC20: CoCreateInstance.COMBASE(00506450,00000000,00000017,00506460,00000000), ref: 0040AC33

CoUninitialize.COMBASE ref: 0040B00B
_printf.LIBCMT ref: 0040B031
CoTaskMemFree.COMBASE(?), ref: 0040B044
CoTaskMemFree.COMBASE(?), ref: 0040B09B

Strings

Error!, xrefs: 0040B02C
Microphone, xrefs: 0040AE74
Stereo Mix, xrefs: 0040AEB3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FreeTask$CreateInstance$ClearInitializePropUninitializeVariant_printf
String ID: Error!$Microphone$Stereo Mix
API String ID: 2591373714-2042757009
Opcode ID: 4be0c02a6c2f2e7782b7614ce96f06f0ebdbd3045816fbe7ebd77023d1275bd8
Instruction ID: 4d356ad0cd0055a534bb7e2fca802039a0c5cf10672040fac80659dd95ae97e1
Opcode Fuzzy Hash: 4be0c02a6c2f2e7782b7614ce96f06f0ebdbd3045816fbe7ebd77023d1275bd8
Instruction Fuzzy Hash: 2ED146B16083429FC710DF69C88096BB7E5BF89308F14492EF199E7391D735E909CBA6

Function 0043F070 Relevance: 21.1, APIs: 14, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043F087
GetObjectW.GDI32(?,00000018,?), ref: 0043F0B3
SelectObject.GDI32(00000000,?), ref: 0043F0D5
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0043F105
SelectObject.GDI32(00000000,?), ref: 0043F111
DeleteDC.GDI32(00000000), ref: 0043F118
DeleteObject.GDI32(?), ref: 0043F11F
DeleteDC.GDI32(00000000), ref: 0043F128
GetObjectW.GDI32(?,00000018,?), ref: 0043F144
SelectObject.GDI32(00000000,?), ref: 0043F16C
SelectObject.GDI32(00000000,00000000), ref: 0043F198
DeleteDC.GDI32(00000000), ref: 0043F19B
DeleteObject.GDI32(00000000), ref: 0043F1A2
DeleteDC.GDI32(00000000), ref: 0043F1B8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$Delete$Select$RectStretchWindow
String ID:
API String ID: 1803269550-0
Opcode ID: 6d14f3c7801400a99924f339dbda4282a5d85a3da5699ccedb686e2fdf9ea589
Instruction ID: 696e6045488b7c734d3902e62c411b5be62739912a8349892e3e1702c05ed823
Opcode Fuzzy Hash: 6d14f3c7801400a99924f339dbda4282a5d85a3da5699ccedb686e2fdf9ea589
Instruction Fuzzy Hash: D7413A7A204301ABD220DB64DC89F6FB7B8EB9CB11F140519FA4597280DB78ED09DB66

Function 0047B67A Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 123stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(00000000,005165A8), ref: 0047B693
lstrcmp.KERNEL32(00000000,005165A4), ref: 0047B6AB

Strings

dde, xrefs: 0047B75D
Automation, xrefs: 0047B79C
RegserverPerUser, xrefs: 0047B6FC
RegisterPerUser, xrefs: 0047B6E7
UnregisterPerUser, xrefs: 0047B73B
Regserver, xrefs: 0047B6D2
Register, xrefs: 0047B6BD
Unregister, xrefs: 0047B711
UnregserverPerUser, xrefs: 0047B74C
Embedding, xrefs: 0047B778
Unregserver, xrefs: 0047B726

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde
API String ID: 1534048567-3876351261
Opcode ID: 685bf51fd5a5cf9f999b4de0606beee4ab20b486c39fd86b6ad45d42c3c7e3e0
Instruction ID: 4158870fab218df59c8f1903c3ce7b8b15553ea315d7dcecbbd45a5a050bd45a
Opcode Fuzzy Hash: 685bf51fd5a5cf9f999b4de0606beee4ab20b486c39fd86b6ad45d42c3c7e3e0
Instruction Fuzzy Hash: FE31D47110870255E3282632ACC6BD75BEDDF40768F51C90FA509516C3EBBDD18586E9

Function 0043CF10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll), ref: 0043CF1F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0043CF39
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0043CF43
ShellExecuteW.SHELL32(00000000,open,osk.exe,00000000,00000000,00000001), ref: 0043CF68
FreeLibrary.KERNEL32(00000000), ref: 0043CF7A
ShellExecuteW.SHELL32(00000000,open,osk.exe,00000000,00000000,00000001), ref: 0043CF85
FreeLibrary.KERNEL32(00000000), ref: 0043CF8C

Strings

kernel32.dll, xrefs: 0043CF12
Wow64DisableWow64FsRedirection, xrefs: 0043CF33
open, xrefs: 0043CF5D
osk.exe, xrefs: 0043CF58
Wow64RevertWow64FsRedirection, xrefs: 0043CF3B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Library$AddressExecuteFreeProcShell$Load
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$open$osk.exe
API String ID: 1344742323-2279186374
Opcode ID: d87194c96a0c597c9d83052771ddb64da7cc093fd31f47d82c37c6617cc6cf3e
Instruction ID: 1ea4d6e01b041d9577da5eefa5b37ffbdf42249bf3a301c6c66b692214d36219
Opcode Fuzzy Hash: d87194c96a0c597c9d83052771ddb64da7cc093fd31f47d82c37c6617cc6cf3e
Instruction Fuzzy Hash: E501D6723417117BE61067659CCDF9FAB58EF98761F14412AF609921C0EFB4C8089768

Function 004E0150 Relevance: 19.8, APIs: 13, Instructions: 342COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 004E0185
_calloc.LIBCMT ref: 004E01B1
_calloc.LIBCMT ref: 004E01BD
_calloc.LIBCMT ref: 004E01C9
_calloc.LIBCMT ref: 004E01D7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: faa37d9db676164725c62fcee8929f980109adff67664349508e23f42eb243a5
Instruction ID: 5cf65d6b98b7aaa23abbdce0335c490dc9141006f128b3d42e2f55e44d44f7a8
Opcode Fuzzy Hash: faa37d9db676164725c62fcee8929f980109adff67664349508e23f42eb243a5
Instruction Fuzzy Hash: B9C15AB06007029FD724CF69D881A5BB7E1FB88305F048A2EE999CB342D774F9558BA5

Function 004167E0 Relevance: 19.7, APIs: 13, Instructions: 153COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0041681C
GetSysColor.USER32(00000005), ref: 0041683B
GetSysColor.USER32(00000008), ref: 00416864
GetSysColor.USER32(00000005), ref: 00416883
GetSysColor.USER32(00000008), ref: 004168AC
GetSysColor.USER32(00000005), ref: 004168CB
GetSysColor.USER32(00000008), ref: 004168F4
GetSysColor.USER32(00000005), ref: 00416913
GetSysColor.USER32(00000010), ref: 00416927
GetSysColor.USER32(00000008), ref: 0041692E
GetSysColor.USER32(00000005), ref: 00416935
GetSysColor.USER32(0000000F), ref: 0041693C
GetSysColor.USER32(00000010), ref: 00416943

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 4ae5dc2da039fde0cd9947ef016b86fe7c83ee459368bad7fe9f6b0b9cc73c41
Instruction ID: f9849506db7aa54653ed162dca1eccc140a9e888bec1f9d60de142c79418a391
Opcode Fuzzy Hash: 4ae5dc2da039fde0cd9947ef016b86fe7c83ee459368bad7fe9f6b0b9cc73c41
Instruction Fuzzy Hash: EE510771640B089FCB24FFA5CCD0A6AB7E5BF98300F124929E596CB395DA34E984CB51

Function 00416670 Relevance: 19.6, APIs: 13, Instructions: 146COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004166A0
GetSysColor.USER32(00000005), ref: 004166BF
GetSysColor.USER32(00000008), ref: 004166E8
GetSysColor.USER32(00000005), ref: 00416707
GetSysColor.USER32(00000008), ref: 00416730
GetSysColor.USER32(00000005), ref: 0041674F
GetSysColor.USER32(00000008), ref: 00416778
GetSysColor.USER32(00000005), ref: 00416797
GetSysColor.USER32(00000010), ref: 004167AB
GetSysColor.USER32(00000008), ref: 004167B2
GetSysColor.USER32(00000005), ref: 004167B9
GetSysColor.USER32(0000000F), ref: 004167C0
GetSysColor.USER32(00000010), ref: 004167C7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 88e3fbadac47f6a2a1f363d269d72f5321f32a0c888c40e510d20617148f4389
Instruction ID: 753bcbc8ea084de115db5d45ab4b66ede27c68ac5523f710854fc67252481f76
Opcode Fuzzy Hash: 88e3fbadac47f6a2a1f363d269d72f5321f32a0c888c40e510d20617148f4389
Instruction Fuzzy Hash: 0941FB74740A19AFCB04EFB5CCD0A5AB7A5BF88300F12856AE519CB385DB34E995CF90

Function 00443070 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,75920F00,00000000,0000000A,9F5E49E1,75920F00,00EFDE10,00000000,000000FF,?,0044E0DF,00000000,00000000), ref: 0044311A
RtlEnterCriticalSection.NTDLL(?), ref: 00443135
RtlLeaveCriticalSection.NTDLL(?), ref: 00443149
RtlEnterCriticalSection.NTDLL(?), ref: 0044317D
RtlLeaveCriticalSection.NTDLL(?), ref: 00443199
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,9F5E49E1,75920F00,00EFDE10,00000000,000000FF), ref: 004431FF
OutputDebugStringW.KERNEL32(HHHH *&*^&^*&^*(&*& exit event,?,0044E0DF,00000000,00000000), ref: 00443233

Strings

HHHH *&*^&^*&^*(&*& exit event, xrefs: 0044322E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CreateDebugEventMultipleObjectsOutputStringWait
String ID: HHHH *&*^&^*&^*(&*& exit event
API String ID: 2594420374-3841546532
Opcode ID: 504b6f520a61bce6fea11285429e58fc6949104f5669926092c981afe9c1a3a5
Instruction ID: 039d699ebe2b7b011f14d9872423aaf86c29c9dec758267fe4716026a89a3f9d
Opcode Fuzzy Hash: 504b6f520a61bce6fea11285429e58fc6949104f5669926092c981afe9c1a3a5
Instruction Fuzzy Hash: 9D81E272B00605ABDB14DFA5D845B9EB7B4FB48712F00422FE909D7381D779A904CB99

Function 00450713 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000B84,00000001), ref: 00450810

Strings

_latestcon_.txt, xrefs: 00450919
SeetrolClient.exe, xrefs: 0045092E
It's past 180 minutes.............., xrefs: 0045090C
Cur Minutes = %d, Start Minutes = %d, xrefs: 004508D7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: InvalidateRect
String ID: Cur Minutes = %d, Start Minutes = %d$It's past 180 minutes..............$SeetrolClient.exe$_latestcon_.txt
API String ID: 634782764-3053064906
Opcode ID: b0adf9915d03cd8913ae4f2861e950939c64431abbdfb56a674d63791deccbd8
Instruction ID: 67edb0a904e78a174e93f4027bd3c3e72890fdc40655ee2527897efd977b549e
Opcode Fuzzy Hash: b0adf9915d03cd8913ae4f2861e950939c64431abbdfb56a674d63791deccbd8
Instruction Fuzzy Hash: 4271D171A002058BDF04EF61C9957EE77A1AF54305F04407EEC4A6F2C7DB79A808CBA9

Function 0040E950 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 187fileCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0040E99E

Part of subcall function 004AC87C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,00000000,0040E9A3), ref: 004AC887
Part of subcall function 004AC87C: __aulldiv.LIBCMT ref: 004AC8A7

__localtime64.LIBCMT ref: 0040E9A8

Part of subcall function 004AC855: __localtime64_s.LIBCMT ref: 004AC86A

__vswprintf.LIBCMT ref: 0040E9C7

Part of subcall function 004ADD1B: __vsprintf_l.LIBCMT ref: 004ADD2B

_sprintf.LIBCMT ref: 0040E9FF
GetModuleFileNameA.KERNEL32 ref: 0040EA4B
_sprintf.LIBCMT ref: 0040EAD6
CloseHandle.KERNEL32(?,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?,9F5E49E1,7591E010), ref: 0040EAF7
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040EB50
CloseHandle.KERNEL32(FFFFFFFF), ref: 0040EB69

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

%s\stclient.log, xrefs: 0040EAD0
stclient,%04d/%02d/%02d-%02d:%02d:%02d,%s, xrefs: 0040E9F9

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: File$CloseHandleTime_sprintf$ModuleNameSystemWrite__aulldiv__localtime64__localtime64_s__time64__vsprintf_l__vswprintf_memcpy_s
String ID: %s\stclient.log$stclient,%04d/%02d/%02d-%02d:%02d:%02d,%s
API String ID: 787290859-1091581989
Opcode ID: 8b5c7ceac0db7d8fc2726bb3176957997ef72d6df4f757cf33af5067fadcccb6
Instruction ID: 18207f4bf3386bbbf84af54343869711bc4fc392fab999444df53baa6cd8b4e2
Opcode Fuzzy Hash: 8b5c7ceac0db7d8fc2726bb3176957997ef72d6df4f757cf33af5067fadcccb6
Instruction Fuzzy Hash: 0161ACB12047419FD324DB28C885FABB3E9BBC9324F044A1DF19A972D0DB35A918CB95

Function 0043E360 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 55synchronizationnetworksleepCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 0043E36A
NotifyAddrChange.IPHLPAPI(?,?), ref: 0043E37E
WSAGetLastError.WS2_32 ref: 0043E387
WaitForSingleObject.KERNEL32 ref: 0043E3B6
Sleep.KERNEL32(0000001E), ref: 0043E3CD
WaitForSingleObject.KERNEL32(?,00000064), ref: 0043E3D6
ResetEvent.KERNEL32(?), ref: 0043E3E1
OutputDebugStringW.KERNEL32(HHHHH IP Address table changed..), ref: 0043E3EC
SendMessageW.USER32(?,00002F84,00000000,00000000), ref: 0043E409
__endthread.LIBCMT ref: 0043E40F

Strings

HHHHH IP Address table changed.., xrefs: 0043E3E7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: EventObjectSingleWait$AddrChangeCreateDebugErrorLastMessageNotifyOutputResetSendSleepString__endthread
String ID: HHHHH IP Address table changed..
API String ID: 3342187920-1823507180
Opcode ID: f5a3874ba77d2472f0a0ff9d5355216d6528f68bea5d17b60cf7c186dc3e28c2
Instruction ID: 4a6e24d8b2474b4d58af0cdaf5445fde62332ac40ddf605250586d4602c224d6
Opcode Fuzzy Hash: f5a3874ba77d2472f0a0ff9d5355216d6528f68bea5d17b60cf7c186dc3e28c2
Instruction Fuzzy Hash: E5115E72204300ABD710ABA5DD49F5FB7A8BF98704F04052DF689E71D1D7B9E808CB66

Function 004329E0 Relevance: 18.1, APIs: 12, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 004329FA
LoadResource.KERNEL32(?,00000000), ref: 00432A14
SizeofResource.KERNEL32(?,00000000), ref: 00432A2F
GlobalAlloc.KERNEL32(00000022,00000000), ref: 00432A3A
FreeResource.KERNEL32(00000000), ref: 00432A47
GlobalLock.KERNEL32(00000000), ref: 00432A58
LockResource.KERNEL32(00000000), ref: 00432A61
FreeResource.KERNEL32(00000000), ref: 00432A7B
GlobalUnlock.KERNEL32(00000000), ref: 00432A82
GlobalFree.KERNEL32(00000000), ref: 00432A9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Resource$Global$Free$Lock$AllocFindLoadSizeofUnlock
String ID:
API String ID: 1897898821-0
Opcode ID: 25340d3284b9983cdac9abcc8b5422cc34a61547c6c33290876229572b1c09fe
Instruction ID: 8549c24ea18221fa4b7f30d043d631f72887d6f9cdbcabbdcb94f495f2940246
Opcode Fuzzy Hash: 25340d3284b9983cdac9abcc8b5422cc34a61547c6c33290876229572b1c09fe
Instruction Fuzzy Hash: F321A176201210AFD321BBB5AC5CD6F779CEFA9366B14442FF902C3212DB78C8049675

Function 004409D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 248sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000001E), ref: 00440A23
Sleep.KERNEL32(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440AE5
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00440B3F

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$FileRead
String ID: _st_ft_tmp.zip
API String ID: 1621575540-1049501217
Opcode ID: 626c34d468a53e5a61de424ce1bab4df34e3983b42604e1c4fed53715e09aa1d
Instruction ID: 5f47da2d0b925f7d8aa24984006d6cfaea77292107a1f019290800dc1feeeb79
Opcode Fuzzy Hash: 626c34d468a53e5a61de424ce1bab4df34e3983b42604e1c4fed53715e09aa1d
Instruction Fuzzy Hash: 4B913A716043458FE724DF24CD94BABB7E4EF99314F14062EEA899B381C778E805CB96

Function 004409F7 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 241sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000001E), ref: 00440A23
Sleep.KERNEL32(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440AE5
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00440B3F

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$FileRead
String ID: _st_ft_tmp.zip
API String ID: 1621575540-1049501217
Opcode ID: b9d0bc776a3831d3c5a4b109b72f54c5c38143b806f915e472af4dba38f7b76f
Instruction ID: aeca04c3b546d487f9e4b3fa4a2f57492e892766aa5ff131c30d0e4c5503a92c
Opcode Fuzzy Hash: b9d0bc776a3831d3c5a4b109b72f54c5c38143b806f915e472af4dba38f7b76f
Instruction Fuzzy Hash: 759128716043458FE724DF25CD94BABB7E4EF99314F14062EEA889B381C778E805CB96

Function 00449550 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 224sleepwindowtimeCOMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(HHHHHHHH OnDisconnected..........************************************,9F5E49E1), ref: 00449585
Sleep.KERNEL32(0000000A,?,00000000,?,?,?), ref: 004495D5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004495EB
Sleep.KERNEL32(0000000A,?,00000000,?,?,?), ref: 00449659
Sleep.KERNEL32(0000001E), ref: 0044966F
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004496D6
SetTimer.USER32(?,0000046C,00001B58,00000000), ref: 004497A2

Strings

HHHHHHHH OnDisconnected..........************************************, xrefs: 00449580

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$MessageSend$DebugOutputStringTimer
String ID: HHHHHHHH OnDisconnected..........************************************
API String ID: 3392156624-3258832438
Opcode ID: 617c3e3c6b58b4d8a9e68de464a6f3aedfd4daa80941ffe4af887a4afa78a161
Instruction ID: f3e643c34d14d9f0ac76f99aaef426c7afa793e54113cc9a4d797a18d46f29c1
Opcode Fuzzy Hash: 617c3e3c6b58b4d8a9e68de464a6f3aedfd4daa80941ffe4af887a4afa78a161
Instruction Fuzzy Hash: EC919E70740705EBE724EF61C896BAFB3A5BF84B04F10451EE65A57381DBB86840CB9A

Function 0042A080 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 0042A0C2
73A0A570.USER32(?), ref: 0042A0D9
SelectObject.GDI32(?,?), ref: 0042A107
_memset.LIBCMT ref: 0042A12F
GetPixel.GDI32(?,00000000,?), ref: 0042A18A

Strings

(, xrefs: 0042A208

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$A570PixelSelect_memset
String ID: (
API String ID: 2544053820-3887548279
Opcode ID: 7c0b0e4da12e49533c2186ea8f19cc5a904a172f5aa64ef6050d0408e7149e26
Instruction ID: 122c26f7a01b07ae45802da8db1df48ad970ac38cd116229b49a1ba92112f22f
Opcode Fuzzy Hash: 7c0b0e4da12e49533c2186ea8f19cc5a904a172f5aa64ef6050d0408e7149e26
Instruction Fuzzy Hash: 4E71DDB16043019FC310DF69D884B2BB7E5EF98304F44892EF89687351EB38E854CBA6

Function 004411B0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 123sleepwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3D8F: __waccess_s.LIBCMT ref: 004F3D9A

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00441240
_sprintf.LIBCMT ref: 0044129A
Sleep.KERNEL32(0000001E), ref: 004412A4
_sprintf.LIBCMT ref: 004412F4
ShellExecuteA.SHELL32(00000000,Open,?,?,00000000,00000001), ref: 00441314

Strings

%s\STUpdate.exe, xrefs: 00441289
STUpdate.exe, xrefs: 004411ED
%s %d %d %d 7, xrefs: 004412EE
xxx.seetrol.com, xrefs: 004412AA
Open, xrefs: 0044130D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$ExecuteMessageSendShellSleep__waccess_s
String ID: %s %d %d %d 7$%s\STUpdate.exe$Open$STUpdate.exe$xxx.seetrol.com
API String ID: 209734580-2990853639
Opcode ID: df8b8f0c48e516ecbf8294460169fab355741dabab16574a2941eda5e08e4a2b
Instruction ID: 01a2d2cb05fa62956292216208824cb112590af1c27d4b4b5120dd3e5e46850d
Opcode Fuzzy Hash: df8b8f0c48e516ecbf8294460169fab355741dabab16574a2941eda5e08e4a2b
Instruction Fuzzy Hash: 4F41D4B12407019BE324DF24CC4AFAAB7E4FB99710F00072EF559972D1DB74A940CBA5

Function 004101C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 004101D0
OpenServiceW.ADVAPI32(00000000,SeetrolMyService,000F01FF), ref: 004101FC
CloseServiceHandle.ADVAPI32(00000000), ref: 00410209

Part of subcall function 0040E950: __time64.LIBCMT ref: 0040E99E
Part of subcall function 0040E950: __localtime64.LIBCMT ref: 0040E9A8
Part of subcall function 0040E950: __vswprintf.LIBCMT ref: 0040E9C7
Part of subcall function 0040E950: _sprintf.LIBCMT ref: 0040E9FF
Part of subcall function 0040E950: GetModuleFileNameA.KERNEL32 ref: 0040EA4B

Strings

SeetrolMyService, xrefs: 004101F6

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: OpenService$CloseFileHandleManagerModuleName__localtime64__time64__vswprintf_sprintf
String ID: SeetrolMyService
API String ID: 962589914-3785928781
Opcode ID: 6d6fe229631e59426d31fa1575b83877c01be904296011404467d1d962efd3ce
Instruction ID: 2494c22a856de9bdfa769d9bcc08a0a2e9a05a8e277aad1238a59bc24725b4e7
Opcode Fuzzy Hash: 6d6fe229631e59426d31fa1575b83877c01be904296011404467d1d962efd3ce
Instruction Fuzzy Hash: 4B110676680300B7C21137256C5EFAF3B1CEBD0722F44042AFE04A1192DABD995E96B6

Function 00478029 Relevance: 17.5, APIs: 4, Strings: 6, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00478030

Part of subcall function 004840E4: RtlEnterCriticalSection.NTDLL(0063B3C8), ref: 0048411E
Part of subcall function 004840E4: RtlInitializeCriticalSection.NTDLL(?), ref: 00484130
Part of subcall function 004840E4: RtlLeaveCriticalSection.NTDLL(0063B3C8), ref: 0048413D
Part of subcall function 004840E4: RtlEnterCriticalSection.NTDLL(?), ref: 0048414D

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 00478080
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 0047808F
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 0047809E

Strings

ezG, xrefs: 00478047
@qF, xrefs: 00478041
windows, xrefs: 0047807A, 0047807F, 00478089, 00478098
DragScrollInterval, xrefs: 00478093
DragScrollInset, xrefs: 00478075
DragScrollDelay, xrefs: 00478084

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: @qF$DragScrollDelay$DragScrollInset$DragScrollInterval$ezG$windows
API String ID: 4229786687-964802685
Opcode ID: 004661adb3078890ba80c932fa12a4420fa1efb09ac6a12fd8242d2630653260
Instruction ID: 1f244fd07bed44ba86562266f8c0cfbe4d42fcdb7fdda17292bbcccf17953eeb
Opcode Fuzzy Hash: 004661adb3078890ba80c932fa12a4420fa1efb09ac6a12fd8242d2630653260
Instruction Fuzzy Hash: 1F0162B0980744EBE720EF668C46A8ABEE5FFD4B04F401A1FE3459B291D7F85580CB58

Function 0043A380 Relevance: 16.7, APIs: 11, Instructions: 173windowthreadmemoryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000418,00000000,00000000), ref: 0043A3D4
GetWindowThreadProcessId.USER32(00000000,?), ref: 0043A3E4
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0043A3F6

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

VirtualAllocEx.KERNEL32(00000000,00000000,00000014,00001000,00000004), ref: 0043A444
SendMessageW.USER32(?,00000417,00000000,00000000), ref: 0043A4AC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000014,00000000), ref: 0043A4BD
ReadProcessMemory.KERNEL32(00000000,?,?,00000018,00000000), ref: 0043A4CE
GetWindowThreadProcessId.USER32 ref: 0043A4E2
Shell_NotifyIconW.SHELL32 ref: 0043A51E
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 0043A53C
CloseHandle.KERNEL32(00000000), ref: 0043A543

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Process$MemoryMessageReadSendThreadVirtualWindow$AllocCloseFreeHandleIconNotifyOpenShell__memcpy_s
String ID:
API String ID: 350762583-0
Opcode ID: e1c3c70b296d81152ecc5cc85210f9acb22fb9613a7b884e8bbec953429f081f
Instruction ID: 66576c732975142a89aa81f1a341d0d0095f7af82e87758a2e4115b84b308e91
Opcode Fuzzy Hash: e1c3c70b296d81152ecc5cc85210f9acb22fb9613a7b884e8bbec953429f081f
Instruction Fuzzy Hash: A35169712443019FD310CB68CC89B6BB7E5FBD9724F00861EF2958B291DB74990ACB96

Function 00408BA0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 301timeCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 00408BF9
_sprintf.LIBCMT ref: 00408C11

Part of subcall function 004F3D8F: __waccess_s.LIBCMT ref: 004F3D9A

KillTimer.USER32(?,00000D31,9F5E49E1), ref: 00408C4C
KillTimer.USER32(?,00000D31,9F5E49E1), ref: 00408C60
_fwscanf.LIBCMT ref: 00408C91

Strings

Standby Name : , xrefs: 00408E16
%s, xrefs: 00408C8B
1, xrefs: 00408BDB
%s\stbid.txt, xrefs: 00408C0B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: KillTimer$FolderPathSpecial__waccess_s_fwscanf_sprintf
String ID: %s$%s\stbid.txt$1$Standby Name :
API String ID: 3475323135-3536164160
Opcode ID: ab6bb3601285fe52a732ce1af47ca2315994c851153e78748df2bd6a7d9b6cfc
Instruction ID: d262a37b390ebd01e468c3b41720d31e68e0f23dcbd889e1dc6355d43c9dcbb6
Opcode Fuzzy Hash: ab6bb3601285fe52a732ce1af47ca2315994c851153e78748df2bd6a7d9b6cfc
Instruction Fuzzy Hash: 7DB119702047428FD314DB38C851FABB7E5BF95318F048A6EE1999B2D2DF389905CB96

Function 0044EAF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 178sleepwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044EB26
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0044EB3E
Sleep.KERNEL32(0000012C), ref: 0044EBE9
Sleep.KERNEL32(0000000A), ref: 0044EC17
KillTimer.USER32(?,0000046C), ref: 0044EC37
Sleep.KERNEL32(0000000A), ref: 0044ECF9
KillTimer.USER32(?,0000046C), ref: 0044ED19

Strings

B, xrefs: 0044EBA2
SeetrolClient.exe, xrefs: 0044EBFD, 0044ECDF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$KillMessageSendTimer
String ID: B$SeetrolClient.exe
API String ID: 1314037856-2223426408
Opcode ID: 317d610e2bc2dddcdb7798b4f6eeb2a003e53b9bf122e0ff8cf70d64dff86c1c
Instruction ID: 021268072df4a6b9416a29714b5c2dbb3cbfc5a705e6d2f0a68c7a24e31e0fbc
Opcode Fuzzy Hash: 317d610e2bc2dddcdb7798b4f6eeb2a003e53b9bf122e0ff8cf70d64dff86c1c
Instruction Fuzzy Hash: C551D6757042898FEB34EF26CC95BAF7751BB55304F10082EF94A9B382CD38A944C75A

Function 00437747 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 165sleepsynchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 00436A8E
CloseHandle.KERNEL32(?), ref: 0043778C
_sprintf.LIBCMT ref: 004377D6
_sprintf.LIBCMT ref: 00437817
PostMessageW.USER32(?,00002FF2,00000000,00000000), ref: 004378BB
Sleep.KERNEL32(0000000A), ref: 004378C3

Strings

%s%s, xrefs: 004377C9, 0043780A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$CloseHandleMessageObjectPostSingleSleepWait
String ID: %s%s
API String ID: 4189928798-3252725368
Opcode ID: 87863897e0277931b49a75ebfd91c7832d0c6835e3c4e2b59dc8355e1416fa47
Instruction ID: 52e572ebaf17c9bdedad3144ba537ee0804d801d091c45087d7162abf53a4260
Opcode Fuzzy Hash: 87863897e0277931b49a75ebfd91c7832d0c6835e3c4e2b59dc8355e1416fa47
Instruction Fuzzy Hash: 885139706043859BDB30CF64CC58FFA37A5AF59304F189479E9898F386DB74AA09CB54

Function 0043C2F0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0040A9C0: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0040A9CA

OutputDebugStringW.KERNEL32(Running in Service Mode........), ref: 0043C313

Strings

Running in Service Mode........, xrefs: 0043C30E
EnableInstallerDetection, xrefs: 0043C405
EnableSecureUIAPaths, xrefs: 0043C41F
PromptOnSecureDesktop, xrefs: 0043C3D1
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0043C36D
EnableUIADesktopToggle, xrefs: 0043C3EB
ConsentPromptBehaviorAdmin, xrefs: 0043C3B7
EnableLUA, xrefs: 0043C39D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DebugManagerOpenOutputString
String ID: ConsentPromptBehaviorAdmin$EnableInstallerDetection$EnableLUA$EnableSecureUIAPaths$EnableUIADesktopToggle$PromptOnSecureDesktop$Running in Service Mode........$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 2942726799-527882296
Opcode ID: bce12da474eea64187bb1646cfaf3d745d3a8689ddcbe7f6517c1cd1e1c29f09
Instruction ID: a6dc234e7f29012b18b630b9309a5bd511ca7a5d2946af0ac530e520bac58384
Opcode Fuzzy Hash: bce12da474eea64187bb1646cfaf3d745d3a8689ddcbe7f6517c1cd1e1c29f09
Instruction Fuzzy Hash: 903162B1244310BFD210DB59CC85E9FBBE8EFD8B24F40891EF659A6190D7B49504CBAA

Function 004343A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53sleepnetworkCOMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(RelayAcceptThread start............), ref: 004343BF
accept.WS2_32(?,?,?), ref: 004343EB
Sleep.KERNEL32(0000001E), ref: 004343F6
OutputDebugStringW.KERNEL32(HHHHHHHHHHHHHHHH accepted ............^^^^^^^^^^^^^^^^^^^^^), ref: 00434403
OutputDebugStringW.KERNEL32(RelayAcceptThread exit *********.&&&&&&...........), ref: 00434431
__endthread.LIBCMT ref: 00434433

Strings

HHHHHHHHHHHHHHHH accepted ............^^^^^^^^^^^^^^^^^^^^^, xrefs: 004343FE
RelayAcceptThread exit *********.&&&&&&..........., xrefs: 0043442C
RelayAcceptThread start............, xrefs: 004343BA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DebugOutputString$Sleep__endthreadaccept
String ID: HHHHHHHHHHHHHHHH accepted ............^^^^^^^^^^^^^^^^^^^^^$RelayAcceptThread exit *********.&&&&&&...........$RelayAcceptThread start............
API String ID: 3779952083-3408232402
Opcode ID: dd6ca307d63062089f04407acb367012af1c7ff2871a4857918d93c5fa63799c
Instruction ID: 33e0ab465bd2b23769d9b9bdf595bc7ffa455d6430a5f2c14bf6f7f9fa4e6903
Opcode Fuzzy Hash: dd6ca307d63062089f04407acb367012af1c7ff2871a4857918d93c5fa63799c
Instruction Fuzzy Hash: 4911C271604304ABD314DFA5DC86B9FF7E4FBA8710F50052EF55143290DB74A884CB9A

Function 0043A210 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48COMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043A219
FindWindowExW.USER32(00000000,00000000,TrayNotifyWnd,00000000), ref: 0043A233
FindWindowExW.USER32(00000000,00000000,SysPager,00000000), ref: 0043A243
FindWindowExW.USER32(00000000,00000000,ToolbarWindow32,00000000), ref: 0043A251
FindWindowExW.USER32(00000000,00000000,ToolbarWindow32,00000000), ref: 0043A258

Strings

SysPager, xrefs: 0043A23C
TrayNotifyWnd, xrefs: 0043A22C
ToolbarWindow32, xrefs: 0043A246
Shell_TrayWnd, xrefs: 0043A214

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FindWindow
String ID: Shell_TrayWnd$SysPager$ToolbarWindow32$TrayNotifyWnd
API String ID: 134000473-1558509179
Opcode ID: 1062bcbc48668e5f826fa515a020e78b5f74c062361df24a3c0d5922b28e869c
Instruction ID: 0e09784fc875f3883ca48d9452186d544095d51199645c7832b584f482c43033
Opcode Fuzzy Hash: 1062bcbc48668e5f826fa515a020e78b5f74c062361df24a3c0d5922b28e869c
Instruction Fuzzy Hash: 87F030AB78222A3AB51126ED2CC5D7F8B5CEAD5AEA718007BF600D2280CB55CC1566B1

Function 00422550 Relevance: 15.3, APIs: 10, Instructions: 325COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00422562
PtInRect.USER32(?,?,?), ref: 00422580
InvertRect.USER32(?,?), ref: 004226B9
InvertRect.USER32(?,?), ref: 004226E3
InvertRect.USER32(?,?), ref: 0042272D
InvertRect.USER32(?,?), ref: 00422757
LoadCursorW.USER32(00000000,00007F85), ref: 004227F9
SetCursor.USER32(00000000), ref: 00422800
LoadCursorW.USER32(00000000,00007F00), ref: 00422823
SetCursor.USER32(00000000), ref: 0042282A

Part of subcall function 00412170: 73A0A570.USER32(?), ref: 00412174

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$CursorInvert$Load$A570Client
String ID:
API String ID: 1521587821-0
Opcode ID: b2abc2af38a9ee28e14c64ba0db3081da9a686672c3b434a60a4b6ceea0f2c30
Instruction ID: 085ddf94a12544c4f30897fa821a0e6ce820f14504bb6de1742840f7fa5761ba
Opcode Fuzzy Hash: b2abc2af38a9ee28e14c64ba0db3081da9a686672c3b434a60a4b6ceea0f2c30
Instruction Fuzzy Hash: CEC15774308711AFC314DB25D984AABB7E9BFC8304F404A1EF59A83350DB78E985CB5A

Function 00442D90 Relevance: 15.2, APIs: 10, Instructions: 230sleepprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00442DEB
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00EFDE10,?,00000000), ref: 00442DF6
Process32FirstW.KERNEL32 ref: 00442E18
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,?,?,?,?,00000002,00000000,00EFDE10,?,00000000), ref: 00442F8C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000,00EFDE10,?,00000000), ref: 00442F94
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,00000002,00000000,00EFDE10,?,00000000), ref: 00442FA1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000002,00000000,00EFDE10,?,00000000), ref: 00442FA8
Sleep.KERNEL32(0000001E,?,?,?,?,?,?,?,?,00000002,00000000,00EFDE10,?,00000000), ref: 00442FB0
Process32NextW.KERNEL32(?,?), ref: 0044300A
CloseHandle.KERNEL32(00000000), ref: 0044301C

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateErrorFirstLastNextOpenSleepSnapshotTerminateToolhelp32_memset
String ID:
API String ID: 1443971851-0
Opcode ID: 6dd299bd8172f147c29c7bb22a8ef833d8240135ded3a084aa299bdf208cd449
Instruction ID: 1bad0621a7517382790b62074daede2932dffaae291707e411b0d7174df1e0a1
Opcode Fuzzy Hash: 6dd299bd8172f147c29c7bb22a8ef833d8240135ded3a084aa299bdf208cd449
Instruction Fuzzy Hash: 4C8122716042029FD710DF28CC85A6FB7E5FF88314F444B2EF45697291EB38AA44CB86

Function 004294A0 Relevance: 15.2, APIs: 10, Instructions: 204windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(8BCCCCCC,00000031,00000000,00000000), ref: 0042958D
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004295A5

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

SendMessageW.USER32(?,000000B1,?,000000FF), ref: 004295FB
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0042960A
SendMessageW.USER32(?,000000B1,-00000002,000000FF), ref: 00429631
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0042964F
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0042965E
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0042967E
PostMessageW.USER32(?,00000286,?,00000000), ref: 0042969F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Message$Send$Post_memcpy_s
String ID:
API String ID: 469121873-0
Opcode ID: 4c11eeef4f94273778e6ecc956662789e7dcfbafe50ec6153461d82da68bbc72
Instruction ID: c5e6c19f76e8c3cee5a89ea3aea2da8c4c7d463715af75274153680801bfe442
Opcode Fuzzy Hash: 4c11eeef4f94273778e6ecc956662789e7dcfbafe50ec6153461d82da68bbc72
Instruction Fuzzy Hash: F1617A71244701ABD324DB28CC91F2BB3E9BF88710F144A1DF69A9B2E0DBB4E800CB55

Function 0042F400 Relevance: 15.2, APIs: 10, Instructions: 201COMMON

Download Yara Rule

APIs

mixerOpen.WINMM(?,?,00000000,00000000,00000000), ref: 0042F427
mixerGetLineInfoW.WINMM ref: 0042F455
_malloc.LIBCMT ref: 0042F466

Part of subcall function 004AE893: __FF_MSGBANNER.LIBCMT ref: 004AE8B6
Part of subcall function 004AE893: __NMSG_WRITE.LIBCMT ref: 004AE8BD
Part of subcall function 004AE893: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 004AE90A

mixerGetLineControlsW.WINMM ref: 0042F4A7
mixerClose.WINMM(?), ref: 0042F4FA
_malloc.LIBCMT ref: 0042F565
mixerGetControlDetailsW.WINMM ref: 0042F5A6
_malloc.LIBCMT ref: 0042F5B0
mixerGetControlDetailsW.WINMM ref: 0042F5D4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: mixer$_malloc$ControlDetailsLine$AllocateCloseControlsHeapInfoOpen
String ID:
API String ID: 2605023755-0
Opcode ID: 6ced8723f13e79167302d555f74858a7a724ba7ea46ee61cceb5a40643b96a8a
Instruction ID: 6cb2b7a4fa9ab36cb46805a6db41ed2b5a63fda9881e2bdf16e9b7d5da99d8c1
Opcode Fuzzy Hash: 6ced8723f13e79167302d555f74858a7a724ba7ea46ee61cceb5a40643b96a8a
Instruction Fuzzy Hash: 4271ABB16083019BD324DF14D880B6BBBF5FB99704F90492EF58587350DB7AE849CB96

Function 0042ACA0 Relevance: 15.2, APIs: 10, Instructions: 184windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046C500: DeleteObject.GDI32(00000000), ref: 0046C50F

LoadBitmapW.USER32(?,00000000), ref: 0042AD0B
LoadBitmapW.USER32(?), ref: 0042AD34
LoadBitmapW.USER32(?), ref: 0042AD5B
LoadBitmapW.USER32(?), ref: 0042AD7A
LoadBitmapW.USER32(?,00000000), ref: 0042ADB1
LoadBitmapW.USER32(?), ref: 0042AE1F
DeleteObject.GDI32(?), ref: 0042AE3A
SetWindowRgn.USER32(?,00000000,00000001), ref: 0042AE69
73A0A570.USER32(?), ref: 0042AE73
SelectClipRgn.GDI32(00000000,?), ref: 0042AE87

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: BitmapLoad$DeleteObject$A570ClipSelectWindow
String ID:
API String ID: 2288048198-0
Opcode ID: b8e8437dea5caadc6cbef60be1e12ff189d4f3748ef0244ecaa0055ae184f183
Instruction ID: 19cfb65866e468dcef953c66d82614c1477c51f04c40df1baefa308429cda4a0
Opcode Fuzzy Hash: b8e8437dea5caadc6cbef60be1e12ff189d4f3748ef0244ecaa0055ae184f183
Instruction Fuzzy Hash: 6651B171310760ABC250EF719C95BBBB3AAEFD4705F41081FF996C7241EA38A845876A

Function 00464B07 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00464B37

Strings

@, xrefs: 00464CDC
AfxControlBar90su, xrefs: 00464BB3
@, xrefs: 00464C43
AfxWnd90su, xrefs: 00464B71
AfxMDIFrame90su, xrefs: 00464BD8
AfxOleControl90su, xrefs: 00464B93
AfxFrameOrView90su, xrefs: 00464BFD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxControlBar90su$AfxFrameOrView90su$AfxMDIFrame90su$AfxOleControl90su$AfxWnd90su
API String ID: 2102423945-1078861282
Opcode ID: a764c1ecf45209b562ae94157c3a2a788af7566ba7c96e998dd52f4fb9d4ead1
Instruction ID: 1a98149a5670b0007c982929823162f44ad01207efb700e28c43082c6660c82e
Opcode Fuzzy Hash: a764c1ecf45209b562ae94157c3a2a788af7566ba7c96e998dd52f4fb9d4ead1
Instruction Fuzzy Hash: F7913FB1D00209BADF50DFA5D985BDEBBF8AF44344F14816AF908E6281F778CA44C799

Function 0044EE80 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126sleepwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F5C0: SystemParametersInfoW.USER32(00000056,00000001,00000000,00000000), ref: 0043F5D2
Part of subcall function 0043F5C0: SendMessageW.USER32(?,00000112,0000F170,000000FF), ref: 0043F605

Sleep.KERNEL32(0000012C,?), ref: 0044EFA9
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044EFC4
DeleteObject.GDI32(?), ref: 0044EFE6
DeleteObject.GDI32(?), ref: 0044EFF9

Part of subcall function 00439000: Shell_NotifyIconW.SHELL32(00000002), ref: 0043902B

Part of subcall function 00439820: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0043984F

Strings

comlogo.jpg, xrefs: 0044EEA6
comlogo.swf, xrefs: 0044EEAD
B, xrefs: 0044EF5D
comlogo.gif, xrefs: 0044EE9F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DeleteIconMessageNotifyObjectSendShell_$InfoParametersSleepSystem
String ID: B$comlogo.gif$comlogo.jpg$comlogo.swf
API String ID: 1939830831-3998327454
Opcode ID: e8784a199cb7303c0083075c5c28afa2776bcbe2f47cec3b66d8f899e3f0d337
Instruction ID: 7d763b81144d50e07c44d47d9572f8dae24faa7ee06361183818cef46c02f19f
Opcode Fuzzy Hash: e8784a199cb7303c0083075c5c28afa2776bcbe2f47cec3b66d8f899e3f0d337
Instruction Fuzzy Hash: 43410C716043599FEF30BF368C956AF77A5BF55304F10042EE94657382CA385D08C796

Function 0045E69F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(00000002,00000000), ref: 0045E6B9
MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 0045E6DF
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0045E709
GetSystemMetrics.USER32(00000000), ref: 0045E720
GetSystemMetrics.USER32(00000001), ref: 0045E727
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 0045E752

Strings

B, xrefs: 0045E6E9
DISPLAY, xrefs: 0045E749

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: System$ByteCharInfoMetricsMultiWide$MonitorParameters
String ID: B$DISPLAY
API String ID: 3432410572-3316187204
Opcode ID: c95f2a7438eca42b76c5f8d9cfeaaa88f40bd628a6f19b26bb919bd861621ed0
Instruction ID: 8adf9389cd2ad4a2ae84c7986e98f0a213c8b38e9c3ba3da7b171382de0fe30a
Opcode Fuzzy Hash: c95f2a7438eca42b76c5f8d9cfeaaa88f40bd628a6f19b26bb919bd861621ed0
Instruction Fuzzy Hash: 7921F571601320ABDF289F12DC88B5B7BA8EF09752F104127FD149B282D674DA48CBA8

Function 00407490 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F4B0: WTSGetActiveConsoleSessionId.KERNEL32 ref: 0040F4E4
Part of subcall function 0040F4B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F5

ShellExecuteW.SHELL32(00000000,Open,STClientChat.exe,00000000,00000000,00000001), ref: 004074CC
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000,00000000,STClientChat.exe), ref: 004074DD
_sprintf.LIBCMT ref: 004074F5
_sprintf.LIBCMT ref: 00407523
SetTimer.USER32(?,00000D31,00000064,00000000), ref: 0040756E

Strings

Open, xrefs: 004074C6
STClientChat.exe, xrefs: 004074AD, 004074C1
%s\stbid.txt, xrefs: 004074EF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$ActiveConsoleCreateExecuteFolderPathSessionShellSnapshotSpecialTimerToolhelp32
String ID: %s\stbid.txt$Open$STClientChat.exe
API String ID: 3972906241-1809709238
Opcode ID: 8f0021560c0044364f922898703fd6fd484200081159407b3f3971e4f7f9972a
Instruction ID: a850480af749097d00a6bf27ea23f0ec6225daed0a5bcea2fa70756972823a66
Opcode Fuzzy Hash: 8f0021560c0044364f922898703fd6fd484200081159407b3f3971e4f7f9972a
Instruction Fuzzy Hash: F821C271244700BFE724DB60CC4AFEB77A9BF98704F40492DF6899A0C0EBB4A6048B56

Function 004F25C6 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004F25CD
std::bad_exception::bad_exception.LIBCMT ref: 004F25EA
__CxxThrowException@8.LIBCMT ref: 004F25F8

Part of subcall function 004AD7AD: RaiseException.KERNEL32(?,?,?,?), ref: 004AD7EF

__EH_prolog3.LIBCMT ref: 004F2605
std::bad_exception::bad_exception.LIBCMT ref: 004F2622
__CxxThrowException@8.LIBCMT ref: 004F2630

Part of subcall function 00410310: std::exception::exception.LIBCMT ref: 0041033E

Strings

invalid string position, xrefs: 004F25D2
invalid string argument, xrefs: 004F260A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Exception@8H_prolog3Throwstd::bad_exception::bad_exception$ExceptionRaisestd::exception::exception
String ID: invalid string argument$invalid string position
API String ID: 1783365832-3740083952
Opcode ID: ae79071abca63a36102e7c81d9ec58b2124bfab355d48f9ce1390618e4d77e55
Instruction ID: a8474675b9911315f1bc3f7aa1c2facfc144e92d8facf8bcacacdaa66d16acde
Opcode Fuzzy Hash: ae79071abca63a36102e7c81d9ec58b2124bfab355d48f9ce1390618e4d77e55
Instruction Fuzzy Hash: 4501847194020CA7CB04FAD1CC52EDEB779EF14729F44082AF601A7491DBF8AA44C7A8

Function 004723AB Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004723B2

Part of subcall function 004840E4: RtlEnterCriticalSection.NTDLL(0063B3C8), ref: 0048411E
Part of subcall function 004840E4: RtlInitializeCriticalSection.NTDLL(?), ref: 00484130
Part of subcall function 004840E4: RtlLeaveCriticalSection.NTDLL(0063B3C8), ref: 0048413D
Part of subcall function 004840E4: RtlEnterCriticalSection.NTDLL(?), ref: 0048414D

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 004723FE
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 00472410

Strings

DragDelay, xrefs: 00472405
@qF, xrefs: 004723C3
windows, xrefs: 004723F8, 004723FD, 0047240A
DragMinDist, xrefs: 004723F3
!G, xrefs: 004723C9

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: @qF$DragDelay$DragMinDist$windows$!G
API String ID: 3965097884-578507828
Opcode ID: d781d6fcb443aaadb66c868160f56ef79a5ced245f4bf807d1a75cf04cf914e3
Instruction ID: 8e53cb7f9083912063406586d8d3c340943e52971f89087c10c8b4c2d31a1934
Opcode Fuzzy Hash: d781d6fcb443aaadb66c868160f56ef79a5ced245f4bf807d1a75cf04cf914e3
Instruction Fuzzy Hash: 5DF06D709447009BE711AF574D56B8EFEE5BF91704F40650FE24867791D7F865808F88

Function 00435117 Relevance: 13.8, APIs: 9, Instructions: 253COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000), ref: 0043513E
SHGetFileInfo.SHELL32(?,00000000,?,000002B4,00004301), ref: 00435179
_memset.LIBCMT ref: 00435195
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000005,00000000), ref: 00435272
SHGetFileInfo.SHELL32(?,00000000,?,000002B4,00004301), ref: 004352AA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileFolderInfoPathSpecial$_memset
String ID:
API String ID: 2736839354-0
Opcode ID: e15f3230b5d8e99954844e7325a5bafae0dc2e5ded7379703548a51bae629e10
Instruction ID: 368a698ea25cff9a2d5b1d463f08b7ef8c9907b29b45dca172c68046e5de9a10
Opcode Fuzzy Hash: e15f3230b5d8e99954844e7325a5bafae0dc2e5ded7379703548a51bae629e10
Instruction Fuzzy Hash: 39A1F27090078A8BDF21CF64DC65BEF37A0EB19300F144529EE499F281DB799609CB99

Function 0041B300 Relevance: 13.7, APIs: 9, Instructions: 219windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B316

Part of subcall function 0041A620: GetClientRect.USER32(?,?), ref: 0041A632

SendMessageW.USER32(?,00000114,00000001,00000000), ref: 0041B38D
SendMessageW.USER32(?,00000114,00000000,00000000), ref: 0041B3D0
SendMessageW.USER32(?,00000115,00000001,00000000), ref: 0041B409
SendMessageW.USER32(?,00000115,00000000,00000000), ref: 0041B447
IsWindow.USER32(?), ref: 0041B484
GetClientRect.USER32(?,?), ref: 0041B4AC
SendMessageW.USER32(?,00000114,00000001,00000000), ref: 0041B4E3
SendMessageW.USER32(?,00000115,00000001,00000000), ref: 0041B542

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$ClientRect$FocusWindow
String ID:
API String ID: 1165954376-0
Opcode ID: b12ed7a3033774d15e7c40635b147f91625cbd40005a6253d9ab31ee006be14d
Instruction ID: dd3610fac3f1ac062fb1af72479236f370597c7f0e42cfe396e456166e61db44
Opcode Fuzzy Hash: b12ed7a3033774d15e7c40635b147f91625cbd40005a6253d9ab31ee006be14d
Instruction Fuzzy Hash: 967160312087059BD314DB28C985FAFB7E5FBC8708F00491EF98597391EB74E9458B9A

Function 0042EE70 Relevance: 13.6, APIs: 9, Instructions: 123COMMON

Download Yara Rule

APIs

mixerOpen.WINMM(?,?,00000000,00000000,00000000), ref: 0042EE97
mixerGetLineInfoW.WINMM ref: 0042EECD
mixerGetLineInfoW.WINMM(?,?,00000001), ref: 0042EF01
_malloc.LIBCMT ref: 0042EF13
mixerGetLineControlsW.WINMM ref: 0042EF55
_malloc.LIBCMT ref: 0042EF7A
mixerGetControlDetailsW.WINMM ref: 0042EFB7
mixerSetControlDetails.WINMM(?,?,00000000), ref: 0042EFD6
mixerClose.WINMM(?,00000002), ref: 0042EFFB

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: mixer$Line$ControlDetailsInfo_malloc$CloseControlsOpen
String ID:
API String ID: 3823334366-0
Opcode ID: aa3d1a33b31c1c04186136f46393f3b5cabd55f6a5891c34cd90260498ee20c3
Instruction ID: 18bb6c774bca5344a0af49e947fcc0bf518a216ac1975973def3477b81b5c0fe
Opcode Fuzzy Hash: aa3d1a33b31c1c04186136f46393f3b5cabd55f6a5891c34cd90260498ee20c3
Instruction Fuzzy Hash: 66418CB1608341AFD320DF55D885BAFBBE8BB99704F40481DF68487340E7B9E908CB96

Function 0042F020 Relevance: 13.6, APIs: 9, Instructions: 123COMMON

Download Yara Rule

APIs

mixerOpen.WINMM(?,?,00000000,00000000,00000000), ref: 0042F047
mixerGetLineInfoW.WINMM ref: 0042F07D
mixerGetLineInfoW.WINMM(?,?,00000001), ref: 0042F0B1
_malloc.LIBCMT ref: 0042F0C3
mixerGetLineControlsW.WINMM ref: 0042F105
_malloc.LIBCMT ref: 0042F12A
mixerGetControlDetailsW.WINMM ref: 0042F167
mixerSetControlDetails.WINMM(?,?,00000000), ref: 0042F186
mixerClose.WINMM(?,00000002), ref: 0042F1AB

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: mixer$Line$ControlDetailsInfo_malloc$CloseControlsOpen
String ID:
API String ID: 3823334366-0
Opcode ID: 880461bcac26988049a60713851ecda999813b7d5984fbb43ca95964d35e8703
Instruction ID: 8b9a7d056cb279c06ed1d7981444b9171eef6033b047abba9e973e6b3851b734
Opcode Fuzzy Hash: 880461bcac26988049a60713851ecda999813b7d5984fbb43ca95964d35e8703
Instruction Fuzzy Hash: 10417AB16083419FD320DF55D885BAFBBF8BB89704F80492DF69487341D7B9A808CB96

Function 00440BC7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00440C1B
Sleep.KERNEL32(0000012C), ref: 00440C36
Sleep.KERNEL32(000001F4), ref: 00440C45
Sleep.KERNEL32(0000000A), ref: 00440CA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440E8E
__endthread.LIBCMT ref: 00440F17

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$CloseHandle__endthread
String ID: _st_ft_tmp.zip
API String ID: 2925947229-1049501217
Opcode ID: 25784e39e1f282e5a0f1c6a8b994de58a0bf698e92a8ef4d02bd15958f14cb0c
Instruction ID: fd99b499fdcc8942ce075b585f1e9011586f3a2256be59a9bb7d5f2647bd487d
Opcode Fuzzy Hash: 25784e39e1f282e5a0f1c6a8b994de58a0bf698e92a8ef4d02bd15958f14cb0c
Instruction Fuzzy Hash: EC4138716043458FD728DB29CC51BABB3E4AF99314F14062DE94C8B391DB38EC05CB56

Function 0046A131 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046A07F: GetParent.USER32(?), ref: 0046A0D3
Part of subcall function 0046A07F: GetLastActivePopup.USER32(?), ref: 0046A0E4
Part of subcall function 0046A07F: IsWindowEnabled.USER32(?), ref: 0046A0F8
Part of subcall function 0046A07F: EnableWindow.USER32(?,00000000), ref: 0046A10B

EnableWindow.USER32(?,00000001), ref: 0046A17E
GetWindowThreadProcessId.USER32(?,?), ref: 0046A192
GetCurrentProcessId.KERNEL32 ref: 0046A19C
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 0046A1B4
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0046A230
EnableWindow.USER32(00000000,00000001), ref: 0046A277

Strings

0, xrefs: 0046A209

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 127f69435ddebf764eec651f9cd15ad1b9d5079f3e8743e4688742f1e9fc01a7
Instruction ID: 48c6c8046424fea764933db5e63227026e6f1f6ad9ce58da45ccf3db8aefdc50
Opcode Fuzzy Hash: 127f69435ddebf764eec651f9cd15ad1b9d5079f3e8743e4688742f1e9fc01a7
Instruction Fuzzy Hash: 1D41B071A407189BDB209F64CC897DAB7B9FF14310F14059AF815A6381E7798E908F97

Function 00440BF7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00440C1B
Sleep.KERNEL32(0000012C), ref: 00440C36
Sleep.KERNEL32(000001F4), ref: 00440C45
Sleep.KERNEL32(0000000A), ref: 00440CA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440E8E
__endthread.LIBCMT ref: 00440F17

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$CloseHandle__endthread
String ID: _st_ft_tmp.zip
API String ID: 2925947229-1049501217
Opcode ID: 2ca5b9a388d4432aadb4b42eec9d201213472f16bc020162cc516e5052af57e7
Instruction ID: 9be58e5dce131cf004f6a44f806f926775009bbd165457fdca9b5ccfab9d68d4
Opcode Fuzzy Hash: 2ca5b9a388d4432aadb4b42eec9d201213472f16bc020162cc516e5052af57e7
Instruction Fuzzy Hash: 0D4104716043458FD728DF29CC55B9BB3E4AF99324F14062DE94C8B391DB38AC05CB96

Function 00440BF5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00440C1B
Sleep.KERNEL32(0000012C), ref: 00440C36
Sleep.KERNEL32(000001F4), ref: 00440C45
Sleep.KERNEL32(0000000A), ref: 00440CA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440E8E
__endthread.LIBCMT ref: 00440F17

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Sleep$CloseHandle__endthread
String ID: _st_ft_tmp.zip
API String ID: 2925947229-1049501217
Opcode ID: c6ad69bda682ba5115a9988a177925671eb655441b52c2a3d87b7001007bce4f
Instruction ID: 2e94e741bdc0fe0c0af00355c115bf5a4e6d1fcb423f8891761966a5a90023c0
Opcode Fuzzy Hash: c6ad69bda682ba5115a9988a177925671eb655441b52c2a3d87b7001007bce4f
Instruction Fuzzy Hash: A941F5716043458FD728DF29CC95BABB3E4AF99324F14066DE94C8B391D738AC05CB96

Function 0043F2F0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004F3D8F: __waccess_s.LIBCMT ref: 004F3D9A

GetClientRect.USER32(?,?), ref: 0043F332

Part of subcall function 0046BDFD: ClientToScreen.USER32(?,?), ref: 0046BE0E
Part of subcall function 0046BDFD: ClientToScreen.USER32(?,?), ref: 0046BE1B

Part of subcall function 004678B0: ShowWindow.USER32(?,?), ref: 004678C1

Part of subcall function 0042FF70: CopyRect.USER32(?,?), ref: 0042FF79

GetClientRect.USER32(?,?), ref: 0043F3C6

Part of subcall function 00431BD0: SelectObject.GDI32(?,?), ref: 00431CD3
Part of subcall function 00431BD0: DeleteDC.GDI32(?), ref: 00431CDC
Part of subcall function 00431BD0: DeleteObject.GDI32(?), ref: 00431CE5

Strings

comlogo.jpg, xrefs: 0043F409
comlogo.gif, xrefs: 0043F304
comlogo.swf, xrefs: 0043F415
comlogo.jpg, xrefs: 0043F39C
comlogo.gif, xrefs: 0043F375

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Client$Rect$DeleteObjectScreen$CopySelectShowWindow__waccess_s
String ID: comlogo.gif$comlogo.gif$comlogo.jpg$comlogo.jpg$comlogo.swf
API String ID: 4067697235-307494107
Opcode ID: 34eee4a655b99c1176a4f50cc9824a96653aa5c75be69615f3d945e8dd0f2730
Instruction ID: a16593ee5074a023825c966e057f48552db9a3a68c1a3767f54d4b7ca83bbd24
Opcode Fuzzy Hash: 34eee4a655b99c1176a4f50cc9824a96653aa5c75be69615f3d945e8dd0f2730
Instruction Fuzzy Hash: 4431E83135070667D614F722C956BFFB699AFE4708F00042EF54A861D1EBB865098767

Function 00444AE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0000000A), ref: 00444B24
RtlEnterCriticalSection.NTDLL(?), ref: 00444B3C
RtlLeaveCriticalSection.NTDLL(?), ref: 00444B4D
OutputDebugStringW.KERNEL32(HHHH *&*^&^*&^*(&*& exit event), ref: 00444B6E
RtlEnterCriticalSection.NTDLL(?), ref: 00444BB0
RtlLeaveCriticalSection.NTDLL(?), ref: 00444BC9

Strings

HHHH *&*^&^*&^*(&*& exit event, xrefs: 00444B69

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DebugMultipleObjectsOutputStringWait
String ID: HHHH *&*^&^*&^*(&*& exit event
API String ID: 233558907-3841546532
Opcode ID: a08ea48bf1bb9e41a743d7c4ec734488bafdcd45fc55fd8144e1138e73997642
Instruction ID: 09f7bcfd6dc87f90b7b62800f459eaf66a96dd699564e391d5ab4009c346ae54
Opcode Fuzzy Hash: a08ea48bf1bb9e41a743d7c4ec734488bafdcd45fc55fd8144e1138e73997642
Instruction Fuzzy Hash: 033175B51002459FE720DF24DD89BABB7A8FF94315F00051EE94A97291E778F908CB69

Function 0043C1E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75sleepfilepipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeW.KERNEL32(\\.\pipe\SeetrolClientMyPipeMY,000003E8), ref: 0043C204
_memset.LIBCMT ref: 0043C23C
WriteFile.KERNEL32(00000000,?,0000012C,00000091,00000000), ref: 0043C2B2
FlushFileBuffers.KERNEL32(00000000), ref: 0043C2B9
CloseHandle.KERNEL32(00000000), ref: 0043C2C0
Sleep.KERNEL32(000000C8), ref: 0043C2CB

Strings

\\.\pipe\SeetrolClientMyPipeMY, xrefs: 0043C1FB, 0043C21A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: File$BuffersCloseFlushHandleNamedPipeSleepWaitWrite_memset
String ID: \\.\pipe\SeetrolClientMyPipeMY
API String ID: 3773843625-1056935190
Opcode ID: 5701df2110dfea68ee43e6c46ead260cf93b4568f1dbedf85755a2794538a361
Instruction ID: 4f51ab07874ebbcae729c28ae05737d4c72961214431ccc19d3662348f495e5d
Opcode Fuzzy Hash: 5701df2110dfea68ee43e6c46ead260cf93b4568f1dbedf85755a2794538a361
Instruction Fuzzy Hash: 0721E031508790AFD7318B68DC9DBDF7BA4AFAB310F008A09F5899B291D7704508CBE6

Function 00452730 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,9F5E49E1), ref: 00452767
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00452786
OutputDebugStringW.KERNEL32(HHHHH SeetrolClient SoundOut : AddBuffer Error), ref: 004527B8
waveOutPause.WINMM(?), ref: 004527CB
waveOutReset.WINMM(?), ref: 004527D5
waveOutRestart.WINMM(?), ref: 004527DF

Strings

HHHHH SeetrolClient SoundOut : AddBuffer Error, xrefs: 004527B3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$ObjectSingleWait$DebugOutputPauseResetRestartString
String ID: HHHHH SeetrolClient SoundOut : AddBuffer Error
API String ID: 2424198513-943445709
Opcode ID: 9737aa1de68f8b754ffcb7f57d729415f26c7e4c56209c50f83a8c3be7a89fdd
Instruction ID: f8a4c2abf471e7a15d77608a1f04401e2868bc1e2b4ba0c18b15c455fbf6ffba
Opcode Fuzzy Hash: 9737aa1de68f8b754ffcb7f57d729415f26c7e4c56209c50f83a8c3be7a89fdd
Instruction Fuzzy Hash: B7213A75600605DFD724DFA4CD88B5AB7A8FB09725F104B1AE966933D0EB74A808CB94

Function 0043411D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52sleepnetworkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32(?), ref: 00434163
OutputDebugStringW.KERNEL32(RelayWorkThread for Manager exit $%%^^$$%%^*********............), ref: 0043417E
closesocket.WS2_32(?), ref: 00434197
closesocket.WS2_32(?), ref: 004341A3
Sleep.KERNEL32(00000064), ref: 004341C0
__endthread.LIBCMT ref: 004341C6

Strings

RelayWorkThread for Client exit $%%^^$$%%^*********............, xrefs: 00434172

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: closesocket$CloseDebugEventOutputSleepString__endthread
String ID: RelayWorkThread for Client exit $%%^^$$%%^*********............
API String ID: 3972144555-3542854420
Opcode ID: 178eb011180ceddbc030f9cc7fe52f79a67b51c2aac5b4639498ccb47b105530
Instruction ID: 888c02070db605e560329a87a873a69b1d591ec2f4248d4e0a09e9a19d45160c
Opcode Fuzzy Hash: 178eb011180ceddbc030f9cc7fe52f79a67b51c2aac5b4639498ccb47b105530
Instruction Fuzzy Hash: 3111C171A005049BCB10EFA4DC499EDB771BF99320F14022BE925673C1DB39B885CB94

Function 0041D050 Relevance: 12.2, APIs: 8, Instructions: 229COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041D18F
GetParent.USER32(?), ref: 0041D1BA
StartDocW.GDI32(?,?), ref: 0041D1F8
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 0041D236

Part of subcall function 00473913: __EH_prolog3.LIBCMT ref: 0047391A
Part of subcall function 00473913: _memset.LIBCMT ref: 00473941

StartPage.GDI32(?), ref: 0041D279
EndPage.GDI32(?), ref: 0041D29A
EndDoc.GDI32(?), ref: 0041D2D8

Part of subcall function 0045D88D: __EH_prolog3.LIBCMT ref: 0045D894

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: H_prolog3PageParentStart$Rect_memset
String ID:
API String ID: 3745811272-0
Opcode ID: 37c5b133ca05acf76df20ebdcdf4662849d6d5ab65742a3a56cc09febccfe889
Instruction ID: 6eb919b74158b67bffd76aa821ea5ed14224187a2bb6122f7cdf92d883e88aec
Opcode Fuzzy Hash: 37c5b133ca05acf76df20ebdcdf4662849d6d5ab65742a3a56cc09febccfe889
Instruction Fuzzy Hash: 4D918FB16083419FC324DF65C894BAFB7E4BF98304F004A1EF5A987291DB78E945CB96

Function 0041A900 Relevance: 12.2, APIs: 8, Instructions: 178COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041A921
GetClientRect.USER32(?,?), ref: 0041A938
GetSystemMetrics.USER32(00000005), ref: 0041A96D
GetSystemMetrics.USER32(00000002), ref: 0041A973

Part of subcall function 0045F286: SetScrollInfo.USER32(?,?,?,?), ref: 0045F2B7

GetSystemMetrics.USER32(00000006), ref: 0041A98A
GetSystemMetrics.USER32(00000003), ref: 0041A990
GetSystemMetrics.USER32(00000002), ref: 0041AA27
GetSystemMetrics.USER32(00000003), ref: 0041AA4B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MetricsSystem$ClientInfoRectScrollWindow
String ID:
API String ID: 4163134966-0
Opcode ID: 3b30862de2ee913d7e9d3646363b4b4346e3b500ef93c4381d50d3eee7599dbe
Instruction ID: cd5c0642ad3737dea2e689911142bf76e832dd6a0e3cb44d965b0adca86b060b
Opcode Fuzzy Hash: 3b30862de2ee913d7e9d3646363b4b4346e3b500ef93c4381d50d3eee7599dbe
Instruction Fuzzy Hash: 655171706093419FD700EF75C9957AFB7E5BF88708F40091EF18597281DBB8A885CB9A

Function 00452D30 Relevance: 12.2, APIs: 8, Instructions: 158windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00452D76
GetTickCount.KERNEL32 ref: 00452D8A
ClientToScreen.USER32(?,?), ref: 00452DBC
WindowFromPoint.USER32(?,?), ref: 00452DD3
GetFocus.USER32 ref: 00452E03
SendMessageW.USER32(?,00000084,00000000,00000000), ref: 00452E5D
ScreenToClient.USER32(?,?), ref: 00452E71
PostMessageW.USER32(?,00000203,?,?), ref: 00452EE1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Message$ClientPostScreen$CountFocusFromPointSendTickWindow
String ID:
API String ID: 2384704540-0
Opcode ID: d7e5c604c5d460d22b0a2dbb4a64dafd43ff654d0fd2c71a3bd0e1732844dd61
Instruction ID: dadd3efd1a0cdaafcfdf1311a960b4fb12f960eb1deed71072a9722ffe7bc319
Opcode Fuzzy Hash: d7e5c604c5d460d22b0a2dbb4a64dafd43ff654d0fd2c71a3bd0e1732844dd61
Instruction Fuzzy Hash: 1551A4B52002019BD314DF29DA4897BB7E8FB99712F004A2FF95583642D7B8E84DC7A5

Function 00443380 Relevance: 12.1, APIs: 8, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00443401
CreatePopupMenu.USER32 ref: 00443407
AppendMenuW.USER32(00000000,00000000,0000573D,00000010), ref: 0044343F
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0044344B
AppendMenuW.USER32(00000000,00000000,0000573E,00000010), ref: 00443477
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00443483
TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 004434A2
DestroyMenu.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004FAD88,000000FF), ref: 004434A9

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$Popup$CreateCursorDestroyTrack_memcpy_s
String ID:
API String ID: 4244293217-0
Opcode ID: 203cb0b06e50dd81983121c712a29e1b9dcac0ac9c9f70109665b23b7da2da42
Instruction ID: d8849ce175127fdbcb6ae2b91cfe4a03e5827b675fb5a2c4d90f23226e65250c
Opcode Fuzzy Hash: 203cb0b06e50dd81983121c712a29e1b9dcac0ac9c9f70109665b23b7da2da42
Instruction Fuzzy Hash: D441A071344345AFE310EF24CC45F5B73A8EF88B15F10861EF5459B2D1DB78AA058BAA

Function 0043D400 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbcc9c46c352b48f2ed8017005de88013f641f39511fb914fee069b5cf260de
Instruction ID: 18a9c1475317a29a52b56270db218198cc6087b2dd259ab0e180af0b2e293041
Opcode Fuzzy Hash: 1fbcc9c46c352b48f2ed8017005de88013f641f39511fb914fee069b5cf260de
Instruction Fuzzy Hash: CE212530B40309BAEA206B659C02FBB369DDFD4B51F10502AF7419F2C1D9B8A8118B7A

Function 004E0AA0 Relevance: 10.9, APIs: 7, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea08bd9f0d6355a818afcd725929d5f2d92521074432b8b22d49b5abd08a14b
Instruction ID: 12949b87b4214ae9b5737157eef75b38fdcc9a0cd568f8813b83b4fa32857d28
Opcode Fuzzy Hash: dea08bd9f0d6355a818afcd725929d5f2d92521074432b8b22d49b5abd08a14b
Instruction Fuzzy Hash: 96F14AB1A002418FCB18CF1DD880A5A7BE1FF88315F19826EED59CB34AE775E845CB85

Function 004229A6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

73A0A570.USER32(?), ref: 004229F4
CreateFontW.GDI32(000000F6,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000002,00000001,00000000,00000000,9F5E49E1), ref: 00422A85
GetTextExtentPoint32W.GDI32(?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSATUVWXYZ,00000034,?), ref: 00422AB1
MulDiv.KERNEL32(00000000,?,?), ref: 00422B9C

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSATUVWXYZ, xrefs: 00422AAB
Arial, xrefs: 00422A40

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: A570CreateExtentFontPoint32Text
String ID: Arial$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSATUVWXYZ
API String ID: 2852238927-714778771
Opcode ID: 74cb0a8539001cba7f12c994d0128e940a10d26ad0b9edb3fb19d7374c5745c5
Instruction ID: fd3134dbab158495bdc90fe952343fb6c8887cda17e5020c0e0c109a537ec872
Opcode Fuzzy Hash: 74cb0a8539001cba7f12c994d0128e940a10d26ad0b9edb3fb19d7374c5745c5
Instruction Fuzzy Hash: D6B19C70600B01AFC324CF69C991BABF7E9FF88700F004A1EE19A87290DBB4B944CB55

Function 00466154 Relevance: 10.7, APIs: 7, Instructions: 232comfilestringCOMMON

Download Yara Rule

APIs

OleDuplicateData.OLE32(?,?,00000000), ref: 004661DA
GlobalLock.KERNEL32(00000000), ref: 00466209
CopyMetaFileW.GDI32(?,00000000,?,00000000,?,00000001,00000000,00000001,00000000,?,?,9F5E49E1), ref: 00466215
GlobalUnlock.KERNEL32(?), ref: 00466225
GlobalFree.KERNEL32(?), ref: 0046622E
GlobalUnlock.KERNEL32(?), ref: 0046623A
lstrlenW.KERNEL32(?,0000005C,004709CE,?,?,?,?,00000000,?,00000001,00000000,00000001,00000000,?,?,9F5E49E1), ref: 0046629A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Global$Unlock$CopyDataDuplicateFileFreeLockMetalstrlen
String ID:
API String ID: 1271135931-0
Opcode ID: c6f1541463c398a7427013332be600e107c71eb898c86a70a716f1f2abc9834b
Instruction ID: 81097ad59716dc28ec7bbd67679d114b4f522f83aa3027a1d928b3e8a424e6cc
Opcode Fuzzy Hash: c6f1541463c398a7427013332be600e107c71eb898c86a70a716f1f2abc9834b
Instruction Fuzzy Hash: 1081AFB1500605AFDB14AFA0CD8882BBBB9FF44308B11851EF856D7751E738EC51CB66

Function 00444710 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 004448A2
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000), ref: 004448C0

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 00403BF0: FindResourceW.KERNEL32(?,?,00000006), ref: 00403C0A

Strings

seetrol, xrefs: 004448DA
%s\client, xrefs: 004448FA
SeetrolClient, xrefs: 00444969
%s\SeetrolClient.exe, xrefs: 00444945

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AdminFindFolderPathResourceSpecialUser_memcpy_s
String ID: %s\SeetrolClient.exe$%s\client$SeetrolClient$seetrol
API String ID: 1118494262-2328916545
Opcode ID: 2e6da713bdfe2294361ef6e180e1fe32e49aaefce39cf93751a0ede9a5b820c5
Instruction ID: 61659b773a41b36e2dea1b91efa9b3bd377974ffeaf6147aea8d0dcb8c464eda
Opcode Fuzzy Hash: 2e6da713bdfe2294361ef6e180e1fe32e49aaefce39cf93751a0ede9a5b820c5
Instruction Fuzzy Hash: DB71C3B12047819FD324DB68CC41F9BB3E8BFD9324F048A2DB159971D1DB78A505CB96

Function 00423330 Relevance: 10.6, APIs: 7, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00423349
ScreenToClient.USER32(?,?), ref: 00423363
GetClientRect.USER32(?,?), ref: 00423372
SendMessageW.USER32(?,00000100,00000028,00000000), ref: 004233AB
SendMessageW.USER32(?,00000100,00000026,00000000), ref: 004233E5
SendMessageW.USER32(?,00000100,00000027,00000000), ref: 00423439
SendMessageW.USER32(?,00000100,00000025,00000000), ref: 00423475

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$Client$CursorRectScreen
String ID:
API String ID: 2034402169-0
Opcode ID: 68c52504ca970e59a8488983bca8a50b90094cae350757c093cf3178a9fbe62b
Instruction ID: 974e894b2020534cec55415e7003b645b640a4ad66340b0e2a8a4e44e1449ed5
Opcode Fuzzy Hash: 68c52504ca970e59a8488983bca8a50b90094cae350757c093cf3178a9fbe62b
Instruction Fuzzy Hash: 8A414072304310ABD310DE69D8C5E6F73FAAB8C749F500A1EF585D7280DAB8EE458B56

Function 004522C0 Relevance: 10.6, APIs: 7, Instructions: 103COMMON

Download Yara Rule

APIs

waveInGetNumDevs.WINMM ref: 004522DC
waveInGetDevCapsW.WINMM(00000000,00EFE5A0,00000050), ref: 004522EE
waveInOpen.WINMM(00EFE5F0,00000000,00EFE6F4,?,00000000,00010004,00EFDE10,75920F00,9F5E49E1), ref: 00452328
_memset.LIBCMT ref: 00452375
waveInPrepareHeader.WINMM(?,00EFE5F4), ref: 004523A1
waveInAddBuffer.WINMM(?,00EFE5F4,00000020), ref: 004523BB
waveInStart.WINMM(?), ref: 004523E4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$BufferCapsDevsHeaderOpenPrepareStart_memset
String ID:
API String ID: 2826888490-0
Opcode ID: cd2e0410df8bfa5c6b13e867c6d3b24d2af05f58dbf1f7c785a340020b899469
Instruction ID: e1e4d7984e8f2dc8722a964ff06a95bc714231f25d873dc0f441ae5837c5f1b3
Opcode Fuzzy Hash: cd2e0410df8bfa5c6b13e867c6d3b24d2af05f58dbf1f7c785a340020b899469
Instruction Fuzzy Hash: 524135B16003059FD724CF65DC48B9BBBE8FF59701F00892EE949DB241E7B8A548CBA4

Function 0042A720 Relevance: 10.6, APIs: 7, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042A590: SendMessageW.USER32 ref: 0042A5DD

GetCapture.USER32 ref: 0042A755
ClientToScreen.USER32(?,?), ref: 0042A775
WindowFromPoint.USER32(?,?), ref: 0042A785
SendMessageW.USER32(?,000000F2,00000000,00000000), ref: 0042A7A0
SendMessageW.USER32(?,000000F3,00000000,00000000), ref: 0042A7C5
6F582E20.COMCTL32(?), ref: 0042A7F6
InvalidateRect.USER32(00000010,00000000,00000001), ref: 0042A80F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$CaptureClientF582FromInvalidatePointRectScreenWindow
String ID:
API String ID: 4196924802-0
Opcode ID: 1f78a50796f64a11b97e6b8963d1f6b71308d98346db007e27c12c5c81b83fbf
Instruction ID: 24ee508b9852c9e904fd8bbae91d3eb093849ed342a1e4a6bd4cbf59365e75a2
Opcode Fuzzy Hash: 1f78a50796f64a11b97e6b8963d1f6b71308d98346db007e27c12c5c81b83fbf
Instruction Fuzzy Hash: 48218C75204701AFE324DF28DC49B2BB7E5FFC8B00F04891EF58587290DAB4E9498B66

Function 00452C50 Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00452C61

Part of subcall function 00452C00: IsWindow.USER32(?), ref: 00452C0F
Part of subcall function 00452C00: GetCapture.USER32 ref: 00452C19
Part of subcall function 00452C00: ReleaseCapture.USER32 ref: 00452C3F

ClientToScreen.USER32(?,?), ref: 00452C80
WindowFromPoint.USER32(?,?), ref: 00452C90
SendMessageW.USER32(?,00000084,00000000,?), ref: 00452CC0
ScreenToClient.USER32(?,?), ref: 00452CD4
PostMessageW.USER32(?,00000200,?,?), ref: 00452CF8
PostMessageW.USER32(?,000000A0,00000000,?), ref: 00452D1D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Message$CaptureClientPostScreenWindow$FromPointRectReleaseSend
String ID:
API String ID: 818938559-0
Opcode ID: ad4542728f77f466ce5d677966af606f0e98afab31c70a58fa49b522c1037a0b
Instruction ID: 1358473a85baa72098068887ae342a702351a22f4d58462afbc851955f33ce96
Opcode Fuzzy Hash: ad4542728f77f466ce5d677966af606f0e98afab31c70a58fa49b522c1037a0b
Instruction Fuzzy Hash: 312116B1604311ABE314DB69D848D7FB3E9FBD8711F008E0EF99282241E774E848DBA5

Function 00416440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00416469
SystemParametersInfoW.USER32(00000068,00000000,00000003,00000000), ref: 0041648C
RegQueryValueExW.ADVAPI32(?,WheelScrollLines,00000000,00000114,?,?), ref: 004164ED
__wcstoui64.LIBCMT ref: 00416502

Strings

WheelScrollLines, xrefs: 004164DF
Control Panel\Desktop, xrefs: 004164B3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: InfoParametersQuerySystemValueVersion__wcstoui64
String ID: Control Panel\Desktop$WheelScrollLines
API String ID: 743428168-287171498
Opcode ID: 74ee334af4915ddca503ddbf8f247f741d90004bdfd8fc0e32ff7550badbbcb6
Instruction ID: 1282d7479d7c975a97c3b1f981750936c27f0dbbfb0e8725f8622d2b2e882293
Opcode Fuzzy Hash: 74ee334af4915ddca503ddbf8f247f741d90004bdfd8fc0e32ff7550badbbcb6
Instruction Fuzzy Hash: 12217FB1208301BBE720DF50DC49B9F77E4BBA8704F40491DB58996180EB78D588CB97

Function 004333C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(00000000,?,?,?), ref: 004333F8
FileTimeToSystemTime.KERNEL32(?,?), ref: 00433408
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0043341A
_sprintf.LIBCMT ref: 0043344E
CloseHandle.KERNEL32(00000000), ref: 00433457

Strings

%04d-%02d-%02d %02d_%02d_%02d, xrefs: 00433448

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Time$FileSystem$CloseHandleLocalSpecific_sprintf
String ID: %04d-%02d-%02d %02d_%02d_%02d
API String ID: 3897475658-2436475478
Opcode ID: c507b056eaf438c4e50a3846005162251736c2e574c24dc3c3d78ed4634e63c1
Instruction ID: 04d9a58352f8e613b90e633971799aaa56d978981e5a75450089d3443870cca8
Opcode Fuzzy Hash: c507b056eaf438c4e50a3846005162251736c2e574c24dc3c3d78ed4634e63c1
Instruction Fuzzy Hash: F0115E72008311BED314DB95CC49FBFB7E8EF98B15F008A0DFA95610D0E6749648D766

Function 00452540 Relevance: 10.5, APIs: 7, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

waveOutPause.WINMM(?,?,0045282F,?,?,004387BD), ref: 00452554
Sleep.KERNEL32(00000032,?,?,0045282F,?,?,004387BD), ref: 00452563
SetEvent.KERNEL32(?,?,?,0045282F,?,?,004387BD), ref: 0045257A
Sleep.KERNEL32(00000032,?,?,0045282F,?,?,004387BD), ref: 00452582
CloseHandle.KERNEL32(?,?,?,0045282F,?,?,004387BD), ref: 0045258B
waveOutReset.WINMM(?,?,0045282F,?,?,004387BD), ref: 004525A4
waveOutClose.WINMM(?,?,0045282F,?,?,004387BD), ref: 004525AE

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$CloseSleep$EventHandlePauseReset
String ID:
API String ID: 2362828720-0
Opcode ID: d94a9365682c8084b6e53dd30a7d6d38c3518e528448f578dcf5278db570c963
Instruction ID: a5eed4e690d929cdadbd9f309c16283d6d1642e1fd8e9c84d55ead2d1789be1b
Opcode Fuzzy Hash: d94a9365682c8084b6e53dd30a7d6d38c3518e528448f578dcf5278db570c963
Instruction Fuzzy Hash: 6401E8722007019BE7209BB9DD1CB5BB7E8BF15311F004A0AE99697390DBB8E448CB24

Function 00452803 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00452786
OutputDebugStringW.KERNEL32(HHHHH SeetrolClient SoundOut : AddBuffer Error), ref: 004527B8
waveOutPause.WINMM(?), ref: 004527CB
waveOutReset.WINMM(?), ref: 004527D5
waveOutRestart.WINMM(?), ref: 004527DF

Strings

HHHHH SeetrolClient SoundOut : AddBuffer Error, xrefs: 004527B3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$DebugObjectOutputPauseResetRestartSingleStringWait
String ID: HHHHH SeetrolClient SoundOut : AddBuffer Error
API String ID: 1162991792-943445709
Opcode ID: fb93dbcb5d7a44cc270080789c2a48b25ff3fe7092ca6baa79621583cb0b1503
Instruction ID: ceecea1be781eadb9476097733f95c4931c4334a9e222eb7c2d4d57c67cfc7fa
Opcode Fuzzy Hash: fb93dbcb5d7a44cc270080789c2a48b25ff3fe7092ca6baa79621583cb0b1503
Instruction Fuzzy Hash: 64015A35500A00DBD724DF60CD48B5BB7A4BB19312F108B0BE89697391EB78A809DF54

Function 0040A960 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0040A96A
OpenServiceW.ADVAPI32(00000000,SeetrolMyService,000F01FF), ref: 0040A985
CloseServiceHandle.ADVAPI32(00000000), ref: 0040A998

Strings

SeetrolMyService, xrefs: 0040A97F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: OpenService$CloseHandleManager
String ID: SeetrolMyService
API String ID: 4136619037-3785928781
Opcode ID: 1f0c173c9dcbeb2c66dac35199e205b8eda936089c194425047e3da6b1b3d94f
Instruction ID: 92629f76a2f965c6c248611ab414a72a7a052fa81d378a18f652f71b04963a83
Opcode Fuzzy Hash: 1f0c173c9dcbeb2c66dac35199e205b8eda936089c194425047e3da6b1b3d94f
Instruction Fuzzy Hash: 2EE092367453242AE621122E7C8CFEF2649EBD4B66F024023F704E7280CA648C4690B9

Function 0040A9C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0040A9CA
OpenServiceW.ADVAPI32(00000000,SeetrolClientService,000F01FF), ref: 0040A9E5
CloseServiceHandle.ADVAPI32(00000000), ref: 0040A9F8

Strings

SeetrolClientService, xrefs: 0040A9DF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: OpenService$CloseHandleManager
String ID: SeetrolClientService
API String ID: 4136619037-3794700016
Opcode ID: 36f8f86905e6c0fd9e51b32e0e555065d09465aa1fa8f6d6fadc9c1688aa0ff0
Instruction ID: 288630e83eb3aa78e2c11e7dafc73f05f0d21263e2fc46c2c22b2166ff4a1739
Opcode Fuzzy Hash: 36f8f86905e6c0fd9e51b32e0e555065d09465aa1fa8f6d6fadc9c1688aa0ff0
Instruction Fuzzy Hash: DEE0923674532526E621132E7C8CFEF2649EBD8766F114023F704E7281CA648C46A0B9

Function 00484C4D Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00484C5B
GetSysColor.USER32(00000010), ref: 00484C62
GetSysColor.USER32(00000014), ref: 00484C69
GetSysColor.USER32(00000012), ref: 00484C70
GetSysColor.USER32(00000006), ref: 00484C77
GetSysColorBrush.USER32(0000000F), ref: 00484C84
GetSysColorBrush.USER32(00000006), ref: 00484C8B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 96ee53ef0e3aeae28732fd54298e4fb98de49f82d70a8af334d4c14fa81d596e
Instruction ID: 3f0e6e6007fcb4ea1a0dc14235800d7c08c99d16f3dba64d283b391a5b1a9fc7
Opcode Fuzzy Hash: 96ee53ef0e3aeae28732fd54298e4fb98de49f82d70a8af334d4c14fa81d596e
Instruction Fuzzy Hash: 7DF0FE719417485BD730BB725D09B47BAD1EFC4710F12092AD2458B990D6B6E441DF40

Function 0041C1D0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 00452C00: IsWindow.USER32(?), ref: 00452C0F
Part of subcall function 00452C00: GetCapture.USER32 ref: 00452C19
Part of subcall function 00452C00: ReleaseCapture.USER32 ref: 00452C3F

GetClientRect.USER32(?,?), ref: 0041C210
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0041C29E
InvalidateRect.USER32(?,?,00000001,?), ref: 0041C31D
InvalidateRect.USER32(?,?,00000001), ref: 0041C3F4
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 0041C41C
InvalidateRect.USER32(?,00000000,00000001), ref: 0041C449

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$Invalidate$Capture$ClientReleaseWindow
String ID:
API String ID: 3030343964-0
Opcode ID: 3f6bad3e9bba547932092b48fe34d2ca7d3244446070c748e7b05c7d7a5c6730
Instruction ID: ab748909c1c57b0e67a34a5abbabb38cfba0aa7c737cf42621bf7e9c7c71f14d
Opcode Fuzzy Hash: 3f6bad3e9bba547932092b48fe34d2ca7d3244446070c748e7b05c7d7a5c6730
Instruction Fuzzy Hash: 6F61B8313446106BE614E725CCD6FFF73D6BBC4708F10051EF646D72C1DAA9A981879A

Function 0043524B Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000005,00000000), ref: 00435272
SHGetFileInfo.SHELL32(?,00000000,?,000002B4,00004301), ref: 004352AA
_memset.LIBCMT ref: 004352C6
GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004F9E30,000000FF), ref: 00435394
SHGetFileInfo.SHELL32(?,00000000,?,000002B4,00004301), ref: 004353B7
_memset.LIBCMT ref: 004353DA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileInfo_memset$DriveFolderPathSpecialType
String ID:
API String ID: 3046806814-0
Opcode ID: 7edeee733a33ac8455f0559beff3da96df655bdb19c29606c271c1b8db09da13
Instruction ID: ee7e692a5660a1c0ca32f76e6befd43a3579b5bd90cf4844e0b6e2b897f1ce22
Opcode Fuzzy Hash: 7edeee733a33ac8455f0559beff3da96df655bdb19c29606c271c1b8db09da13
Instruction Fuzzy Hash: F461053190068D8BDF25CF649C65BFF37A0AB1D300F14552AED499B281DB799609CB98

Function 004148B0 Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0041492B
GetParent.USER32(?), ref: 004149CE
IsWindow.USER32(00000000), ref: 004149E4
SendMessageW.USER32(?,0000004E,00000000,?), ref: 004149FD
IsWindow.USER32(?), ref: 00414A07
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00414A17

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$Message$ParentPostSend_memcpy_s
String ID:
API String ID: 911700235-0
Opcode ID: c3196cacb0c106d9da5414df5f2c161afdca6c20bc4d42e271233c733b5c3851
Instruction ID: ab05e1316dd7894d621ad0aa091164e7521d8b2fd1e5208d15529456c0efbae1
Opcode Fuzzy Hash: c3196cacb0c106d9da5414df5f2c161afdca6c20bc4d42e271233c733b5c3851
Instruction Fuzzy Hash: B4517DB02047429FD324DB38C841B6BB7E5BF89324F044A1EE599C7391EB34E844CB96

Function 0040B0B0 Relevance: 9.1, APIs: 6, Instructions: 104comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040B0B7
CoCreateInstance.COMBASE(005064B8,00000000,00000001,005064C8,?), ref: 0040B0D3
CoUninitialize.COMBASE ref: 0040B108
CoUninitialize.COMBASE ref: 0040B14C
CoUninitialize.COMBASE ref: 0040B19F
CoUninitialize.COMBASE ref: 0040B1AE

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: c756b9a326bff0d5d54b5a655fff85a37b488297f44faff1c880c5909a84eb98
Instruction ID: 4bd2bc0f0cf0910bea45b9d0f518d1d0bb22e6b9072aadf7b3b1f54558cdc6cf
Opcode Fuzzy Hash: c756b9a326bff0d5d54b5a655fff85a37b488297f44faff1c880c5909a84eb98
Instruction Fuzzy Hash: 4D31F474204712AFD600EF68CC9499BBBE9FFC8744F40885AF449CB260E775D906DBA2

Function 0040B1C0 Relevance: 9.1, APIs: 6, Instructions: 104comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040B1C7
CoCreateInstance.COMBASE(005064B8,00000000,00000001,005064C8,?), ref: 0040B1E3
CoUninitialize.COMBASE ref: 0040B21A
CoUninitialize.COMBASE ref: 0040B25E
CoUninitialize.COMBASE ref: 0040B2B1
CoUninitialize.COMBASE ref: 0040B2C0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: dac37143b823cb3abd144905d929c2932ec6706f47d39eb97bb3371e0547768f
Instruction ID: 3cf48e1bed5e902aa4863cb3491607d1b32a05afe6114cf13525783804ef0ec8
Opcode Fuzzy Hash: dac37143b823cb3abd144905d929c2932ec6706f47d39eb97bb3371e0547768f
Instruction Fuzzy Hash: 0C31E274204712AFD600EF68CC8499BBBE9EFC8704F408859F449CB2A0E775D946DB92

Function 004DF0C0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 004DF1CC
_calloc.LIBCMT ref: 004DF230
_calloc.LIBCMT ref: 004DF23E
_calloc.LIBCMT ref: 004DF28A

Strings

vorbis, xrefs: 004DF123

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _calloc
String ID: vorbis
API String ID: 1679841372-2156734674
Opcode ID: e710addb8eb7fe8a14446d82d37cee856acced2938c84251ad66899318694232
Instruction ID: 96e378ca6405d9577a96793c37bc6bc0add6004b87866b450d747613ee427bb8
Opcode Fuzzy Hash: e710addb8eb7fe8a14446d82d37cee856acced2938c84251ad66899318694232
Instruction Fuzzy Hash: DEB118726007015BC330DF6AC881A6BB3E5AF94314F44493FF95A87351EA3DE94987A6

Function 0042CA20 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0042CA36
DeleteObject.GDI32(?), ref: 0042CA4D
CreatePen.GDI32(00000000,?,00FFFFFF), ref: 0042CAC4
SelectObject.GDI32(?,00000000), ref: 0042CAE0
CreatePen.GDI32(00000000,?,00FFFFFF), ref: 0042CB0F
SelectObject.GDI32(?,00000000), ref: 0042CB1F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Object$CreateDeleteSelect
String ID:
API String ID: 2141494517-0
Opcode ID: 051681e83d6b5dc2d04245fea1d77f42bd34e1bd74ae13db29240c9ff574a41c
Instruction ID: ce1f932985b1570c38c62c4d204378b6da390f523c1a69835f3e567966f578f1
Opcode Fuzzy Hash: 051681e83d6b5dc2d04245fea1d77f42bd34e1bd74ae13db29240c9ff574a41c
Instruction Fuzzy Hash: 62214F71700B159FE620DAB4EC81FABB3E8AF94714F14491FE25AD3280DA74B844DB25

Function 0042D0E0 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042D101
LoadCursorW.USER32(?,000000CB), ref: 0042D126
SetCursor.USER32(?), ref: 0042D196
SetClassLongW.USER32(?,000000F4,?), ref: 0042D1A3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Cursor$Load$ClassLong
String ID:
API String ID: 2030254226-0
Opcode ID: 8647661890407926b7405ad5de52a373462817ad11dd8aafac62ecd2d5b3926e
Instruction ID: 7746edc4c2def53e0e8de8a291748870dc2816e8c3a7c5f42ec8d074ace7560f
Opcode Fuzzy Hash: 8647661890407926b7405ad5de52a373462817ad11dd8aafac62ecd2d5b3926e
Instruction Fuzzy Hash: 2E212331700211ABD754AFB0E85AE6F33E4EB98394F10091EF466CB341CB38D840876B

Function 00472451 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00472458

Part of subcall function 004723AB: __EH_prolog3.LIBCMT ref: 004723B2
Part of subcall function 004723AB: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 004723FE
Part of subcall function 004723AB: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 00472410

CopyRect.USER32(?,00000000), ref: 00472487
GetCursorPos.USER32(?), ref: 00472493

Part of subcall function 00411FD0: SetRect.USER32(?,?,?,?,?), ref: 00411FE5

IsRectEmpty.USER32(?), ref: 004724C4
InflateRect.USER32(?,00000000,00000000), ref: 004724D6
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 0047252D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$H_prolog3Profile$CopyCursorDragDropEmptyInflate
String ID:
API String ID: 3333857639-0
Opcode ID: e7156aeb9f18bb9a6a5647dc581b3d6222a3de7ec68ab968beeee0b5ea5d267b
Instruction ID: 9e2708efaec019bad14a936d0e261219e4e58817cf4940c1458b86c9eb134742
Opcode Fuzzy Hash: e7156aeb9f18bb9a6a5647dc581b3d6222a3de7ec68ab968beeee0b5ea5d267b
Instruction Fuzzy Hash: 0321B131900209EBCF11AF90CD09AFFB7B5BF54705F00840EFA1667290CBB8A946DB95

Function 0042D200 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042D22C
LoadCursorW.USER32(?,000000CB), ref: 0042D251
SetCursor.USER32(?), ref: 0042D2C1
SetClassLongW.USER32(?,000000F4,?), ref: 0042D2CE

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Cursor$Load$ClassLong
String ID:
API String ID: 2030254226-0
Opcode ID: c36063a1880b14214afd469433f0ac474e405f230112dc7f7e2d7854c4da3fd0
Instruction ID: 4e5a71781779599cbc01b0b362907a1f544dfe0ce37af8b4513a8d316b335ace
Opcode Fuzzy Hash: c36063a1880b14214afd469433f0ac474e405f230112dc7f7e2d7854c4da3fd0
Instruction Fuzzy Hash: C0110239B00121EBD6647BB0980EE5F6384DF263A4F150A67F912C7291DB28C88053BB

Function 00439400 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000003), ref: 00439410
LoadResource.KERNEL32(?,00000000), ref: 00439422
LockResource.KERNEL32(00000000), ref: 00439430
SizeofResource.KERNEL32(?,00000000,000000FF), ref: 0043943F
FreeResource.KERNEL32(00000000), ref: 00439463
FreeResource.KERNEL32(00000000), ref: 0043946B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Resource$Free$FindLoadLockSizeof
String ID:
API String ID: 1213535345-0
Opcode ID: 099204d077d7876229fce16f2da7991d26d65ab8f674654948921794121f50e6
Instruction ID: 7d7f6cf2dcfeae32b03a6f84644dab2667809e212c7dc03e3dd2820bfbafefe2
Opcode Fuzzy Hash: 099204d077d7876229fce16f2da7991d26d65ab8f674654948921794121f50e6
Instruction Fuzzy Hash: E2018B76200200AFC715AF65EC9CC2B7B6CEB9A712B00811AF902CA246DB39DC05DBB4

Function 004251E0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004252B1

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

GetObjectW.GDI32(?,0000005C,?), ref: 00425396
CreateFontIndirectW.GDI32(?), ref: 004253A9

Part of subcall function 0046B367: SetBkMode.GDI32(?,?), ref: 0046B384
Part of subcall function 0046B367: SetBkMode.GDI32(?,?), ref: 0046B391

Strings

Page %d of %d, xrefs: 00425269
hgP, xrefs: 004253BE, 00425431, 0042543A, 004253C2

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Mode$CreateFontIndirectObject__time64_memcpy_s
String ID: Page %d of %d$hgP
API String ID: 959342479-274673232
Opcode ID: 419e947a3c5b80fddc2fd0c4985796ce0aac660073a4be59623d36429998f7ea
Instruction ID: b8984831befa3a804bc344419e7a829fa9dec1583cd298a952ad335afdab60e0
Opcode Fuzzy Hash: 419e947a3c5b80fddc2fd0c4985796ce0aac660073a4be59623d36429998f7ea
Instruction Fuzzy Hash: 8F9185B02087419FD314DF29C891F6AB7E9FFC8314F108A1DF599872A1DB34A945CB96

Function 0041E1A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041E273
GetParent.USER32(?), ref: 0041E29F
GetObjectW.GDI32(?,0000005C,?), ref: 0041E2D7
CreateFontIndirectW.GDI32(?), ref: 0041E2EA

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

hgP, xrefs: 0041E2FF, 0041E383, 0041E3BE, 0041E303

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Parent$CreateFontIndirectObject_memcpy_s
String ID: hgP
API String ID: 1145571516-4166184734
Opcode ID: c3cf301dd27c55758ebfbb71dd09df75c5d898d2afe6f55c4645ef0512f9645d
Instruction ID: cc54f789ec91d2bfb8cc5d3b8e4db80c9f679bb22f1288b4736a7c5e5e5cf2d7
Opcode Fuzzy Hash: c3cf301dd27c55758ebfbb71dd09df75c5d898d2afe6f55c4645ef0512f9645d
Instruction Fuzzy Hash: 938178742043419FD314DF69C890B6BB7E9BF88314F104A1DF9998B391EB34E945CB96

Function 00441510 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000FF,00000002,?,?,?,000003E8,?,00000439,?), ref: 00441675

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

_sprintf.LIBCMT ref: 004416F5

Strings

%s -%s -%s -%d -%d -%d -autostart,_NO_P,_NO_P,_NO_P,_NO_P,_NO_P, xrefs: 004416EF
SeetrolClientAutoStart, xrefs: 00441721
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00441692

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileModuleName_memcpy_s_sprintf
String ID: %s -%s -%s -%d -%d -%d -autostart,_NO_P,_NO_P,_NO_P,_NO_P,_NO_P$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SeetrolClientAutoStart
API String ID: 3318560983-668435075
Opcode ID: a32ce2a3c11f64711bd99241fc2e290335d76456e73f18fdabe55a01bf2ec0ea
Instruction ID: be580955e9d1efc6da701283d720de910638ea8db901793c5c3844ae5d559af0
Opcode Fuzzy Hash: a32ce2a3c11f64711bd99241fc2e290335d76456e73f18fdabe55a01bf2ec0ea
Instruction Fuzzy Hash: 1571BF742043429FE314DF28C859FABB7E9FF85714F008A1DB15A8B2D1DB74A904CB96

Function 00411220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CreateFontIndirectW.GDI32(?), ref: 0041123F
73A0A570.USER32(00000000,?,00000000,?,?,9F5E49E1,?,00000000), ref: 00411257
GetTextExtentPoint32W.GDI32(?,00506C90,00000001,?), ref: 0041128C
GetTextExtentPoint32W.GDI32(?, XXXXXXXXXXXX ,0000000E,?), ref: 004112AC

Strings

XXXXXXXXXXXX , xrefs: 004112A6

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ExtentPoint32Text$A570CreateFontIndirect
String ID: XXXXXXXXXXXX
API String ID: 847018943-2403876512
Opcode ID: ce2aac9d8aff2c10a5210e393b8478153c71c002e44542bc38f7d076a27f4cfe
Instruction ID: 773cd68263f7e56164964a8ca457de9c7d4c0107424e10872f490c3d227f6d01
Opcode Fuzzy Hash: ce2aac9d8aff2c10a5210e393b8478153c71c002e44542bc38f7d076a27f4cfe
Instruction Fuzzy Hash: 37217CB53006019BC314EF69DD81E6BB3A9BFC8710F14491EE68683790DB35F9448BA5

Function 0043CBE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 0043CC0B
_sprintf.LIBCMT ref: 0043CC50

Part of subcall function 004ABC43: __output_l.LIBCMT ref: 004ABC98

Strings

%s\STClientChat.exe, xrefs: 0043CC05
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043CC2A
%s:*:Enabled:STClientChat, xrefs: 0043CC4A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _sprintf$__output_l
String ID: %s:*:Enabled:STClientChat$%s\STClientChat.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1830584065-1189990171
Opcode ID: a4b1c14a2b2d000d84565052d5be6dc79a19bfc1d810d51fc66dc205ca547ad1
Instruction ID: 0d3e2c3b5f8d3d161a68cef0dc4d2bf18c69653b087d87270b0f7cb31eaf0e8b
Opcode Fuzzy Hash: a4b1c14a2b2d000d84565052d5be6dc79a19bfc1d810d51fc66dc205ca547ad1
Instruction Fuzzy Hash: 901194B5244300ABD324DB14DC9AFEB73E8AF98700F10891DB599D7182EB74A548CB96

Function 0040CAB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,?), ref: 0040CAD1
RtlEnterCriticalSection.NTDLL(?), ref: 0040CAE6
RtlLeaveCriticalSection.NTDLL(?), ref: 0040CAF7
OutputDebugStringW.KERNEL32(HHHH *&*^&^*&^*(&*& exit event), ref: 0040CB0C

Strings

HHHH *&*^&^*&^*(&*& exit event, xrefs: 0040CB07

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$DebugEnterLeaveMultipleObjectsOutputStringWait
String ID: HHHH *&*^&^*&^*(&*& exit event
API String ID: 1026844691-3841546532
Opcode ID: d73e05712dd1537c4336a9e41d80a53f3424c8574dd4eb61eff37431635e4c31
Instruction ID: e1122092703a7f913446900eedb616fcde9edb9b7268c63596de7ded4e4d64a6
Opcode Fuzzy Hash: d73e05712dd1537c4336a9e41d80a53f3424c8574dd4eb61eff37431635e4c31
Instruction Fuzzy Hash: 42F0A4765002009FC210DB68EC49A9BBBF8BFA8710F40452EF585D6290E670A808CB95

Function 0043C190 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043C1A4
FindWindowExW.USER32(00000000,?,0044302B,00000002), ref: 0043C1AB
GetWindowRect.USER32(00000000,?), ref: 0043C1B9

Strings

TrayNotifyWnd, xrefs: 0043C196
Shell_TrayWnd, xrefs: 0043C19F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window$Find$Rect
String ID: Shell_TrayWnd$TrayNotifyWnd
API String ID: 2266178948-3857692141
Opcode ID: ac5759194563ac03d2224f8df0cb852480f49693282d5046b6fa179f2b83babc
Instruction ID: fa008bd948b788860abfb52c620f4c5915670ac2c9b23df17ea5d757d37e48c3
Opcode Fuzzy Hash: ac5759194563ac03d2224f8df0cb852480f49693282d5046b6fa179f2b83babc
Instruction Fuzzy Hash: 01E0C23968132077F32137585C0FFDF3A98EF14F00F504400F601E40D1E7B0200956AA

Function 00412990 Relevance: 7.9, APIs: 5, Instructions: 434COMMON

Download Yara Rule

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

GetSysColor.USER32(00000014), ref: 00412C5B
GetSysColor.USER32(00000015), ref: 00412C75
InflateRect.USER32(?,000000FF,000000FF), ref: 00412D4E

Part of subcall function 0046C618: SelectObject.GDI32(?,00000000), ref: 0046C63E
Part of subcall function 0046C618: SelectObject.GDI32(?,?), ref: 0046C654

InflateRect.USER32(?,00000000,00000000), ref: 00412DA1
DrawTextW.USER32(?,00000000), ref: 00412E48

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ColorInflateObjectRectSelect$DrawText_memcpy_s
String ID:
API String ID: 2499698890-0
Opcode ID: d05763f8e87d9b5f121c1ede3769fd0ae30d52ec2ea1d9638fd9bee958aa2635
Instruction ID: acab23d33c6697efe66f65ef9029ff306ea27e4f91eeff317280ecb93b472233
Opcode Fuzzy Hash: d05763f8e87d9b5f121c1ede3769fd0ae30d52ec2ea1d9638fd9bee958aa2635
Instruction Fuzzy Hash: 75F17C742082468FD324DF15C990AAEB3E5BFC8700F10891EE995C7391EB78E995CB96

Function 004131B7 Relevance: 7.9, APIs: 5, Instructions: 365COMMON

Download Yara Rule

APIs

DrawEdge.USER32(?,?,00000008,0000000F), ref: 004132D9
InflateRect.USER32(?,000000FF,000000FF), ref: 004132E7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DrawEdgeInflateRect
String ID:
API String ID: 3680694270-0
Opcode ID: a13af805f0ada04ea4290a1db0e6866fa17c855cfefc5746e4daecde56a66a0d
Instruction ID: 537493c31a4731a9941bd32d75c32a0e8f37e3416fe2c86f4f30fdd8828d7613
Opcode Fuzzy Hash: a13af805f0ada04ea4290a1db0e6866fa17c855cfefc5746e4daecde56a66a0d
Instruction Fuzzy Hash: 7DE15F716006099FCB04DF69C990AEEB7B5BF88315F10822EF81597381DB38ED86CB95

Function 00413234 Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

DrawEdge.USER32(?,?,00000008,0000000F), ref: 004132D9
InflateRect.USER32(?,000000FF,000000FF), ref: 004132E7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DrawEdgeInflateRect
String ID:
API String ID: 3680694270-0
Opcode ID: 88f9886ee46468484178af36cae63a4d38b51c5bcda9a6be92dc510a7041c394
Instruction ID: e005b626a7d14423fd99513fb40599ec6b1590a4dcebcc7e670b3413e5e5c041
Opcode Fuzzy Hash: 88f9886ee46468484178af36cae63a4d38b51c5bcda9a6be92dc510a7041c394
Instruction Fuzzy Hash: 15D13C716006099FCB04DF69C990AEEB3B5BF88315F10826AF815D7385DB38ED46CB95

Function 0042B160 Relevance: 7.8, APIs: 5, Instructions: 303COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 0042B234
SelectObject.GDI32(?,00000000), ref: 0042B268
SelectObject.GDI32(?,00000000), ref: 0042B2BF

Part of subcall function 00429F40: SelectObject.GDI32(?,?), ref: 00429FA8
Part of subcall function 00429F40: DeleteDC.GDI32(?), ref: 0042A051

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ObjectSelect$Delete
String ID:
API String ID: 119191458-0
Opcode ID: ac693409066841f4521446882ccaefbab41811d79ef42e1402248c91a88207e6
Instruction ID: 607c438724ed6170f7b56a2326903ce7347d9ef3bb4b7a37e489126c7c3809c8
Opcode Fuzzy Hash: ac693409066841f4521446882ccaefbab41811d79ef42e1402248c91a88207e6
Instruction Fuzzy Hash: CCB12571208340AFD324EB55CC99F6FBBE8EFD9B44F10491DB68587291DA74E804CBA6

Function 004062C0 Relevance: 7.8, APIs: 5, Instructions: 298windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000153,00000000,0000000F), ref: 004063C0
SendMessageW.USER32(?,0000014A,00000000,?), ref: 004063EA
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0040640C

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00406549
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0040655C

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$_memcpy_s
String ID:
API String ID: 514064268-0
Opcode ID: 4c16d82b9b4ccc394ab5f6c1e0528cf56e5d5aa609650381e067152d83ad02f1
Instruction ID: e3cbcda3d4ece8aced904ab7bc349160bb025f9081bdde3caecfc8346bbf36b4
Opcode Fuzzy Hash: 4c16d82b9b4ccc394ab5f6c1e0528cf56e5d5aa609650381e067152d83ad02f1
Instruction Fuzzy Hash: 09B1B1702047419FD314CB28CC81B5AB7E5AFC9728F148B6DF15A9B2E1DB78E901CB96

Function 004E6B60 Relevance: 7.7, APIs: 5, Instructions: 237COMMON

Download Yara Rule

APIs

_ldexp.LIBCMT ref: 004E6BC6
_ldexp.LIBCMT ref: 004E6C17
_calloc.LIBCMT ref: 004E6C2A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _ldexp$_calloc
String ID:
API String ID: 2952258867-0
Opcode ID: 131317aaaa65acee6e4d93ed6e3888b5373153619c2617ac1e48c4fd29cba157
Instruction ID: 3016ec5c10455718fe22c89d80a8186b88c5e5ba7c67bfa0b5e48a5f441f4b43
Opcode Fuzzy Hash: 131317aaaa65acee6e4d93ed6e3888b5373153619c2617ac1e48c4fd29cba157
Instruction Fuzzy Hash: 0F81A8702083828FD324DF1AD981A2BB7E5FF98349F55492EE8C997341D738E815CB5A

Function 00443500 Relevance: 7.7, APIs: 5, Instructions: 218processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00443557
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00443566
Process32FirstW.KERNEL32 ref: 00443588
Process32NextW.KERNEL32(?,?), ref: 0044374C
CloseHandle.KERNEL32(00000000), ref: 0044375E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: 41623a4313af9ab5a0a8fee6a0832deccacdef6ab8943e4620dae9680b4f1fea
Instruction ID: af5c976329874aac03bdd80c64c586da92a9b32ce5b10727b9380703e1d63661
Opcode Fuzzy Hash: 41623a4313af9ab5a0a8fee6a0832deccacdef6ab8943e4620dae9680b4f1fea
Instruction Fuzzy Hash: 827105B16042029FE714DF28C885A6FB7E5FF88714F048B2EE59597390E735EA05CB86

Function 00408450 Relevance: 7.7, APIs: 5, Instructions: 152windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004084AA
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004084C6
SendMessageW.USER32(?,00000153,00000000,0000000F), ref: 004084D7

Part of subcall function 0040AC70: CoInitialize.OLE32(00000000), ref: 0040ACA9
Part of subcall function 0040AC70: CoCreateInstance.COMBASE(00635140,00000000,00000017,00635150,?), ref: 0040ACC1

SendMessageW.USER32(?,0000014A,00000000,?), ref: 004085AE
SendMessageW.USER32(?,0000014E,?,00000000), ref: 004085EA

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$CreateInitializeInstance_memcpy_s_memset
String ID:
API String ID: 766012133-0
Opcode ID: 9b7863c9828a1c2c9ed56dbdf257cf7ebd994f9567e1526554d40c22ab17c558
Instruction ID: 9a7250131e9b5604881b7be861a408c2ad3b7d78dff6f6c39e7c9a2a10d9f27e
Opcode Fuzzy Hash: 9b7863c9828a1c2c9ed56dbdf257cf7ebd994f9567e1526554d40c22ab17c558
Instruction Fuzzy Hash: 6951AF71200B409FD324DB29CC81F97B3E5FF89724F008A2EE5A99B2D1DE34A905CB65

Function 00414B30 Relevance: 7.6, APIs: 5, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00414B6C
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00414BC4
GetSystemMetrics.USER32(00000002), ref: 00414BD8
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00414C08
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00414C43

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ExtentMessagePoint32SendText$MetricsSystem_memcpy_s
String ID:
API String ID: 1821662701-0
Opcode ID: fe1b73a4d9a6bebf1bd27fd00734bc4c550ce95797361353062eb6357cfc8ccd
Instruction ID: 705293c5cdb30953cbc70e8712b69b12511de456a6fed5b40d2b0ca6283839c8
Opcode Fuzzy Hash: fe1b73a4d9a6bebf1bd27fd00734bc4c550ce95797361353062eb6357cfc8ccd
Instruction Fuzzy Hash: 765189712083019FC304DF69CC85E6BB7E8EFC9724F004A1EF151872A1EA74A949CBA6

Function 0042E330 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042E35E
LoadCursorW.USER32(?,000000CB), ref: 0042E383
SetCursor.USER32(?), ref: 0042E3EE
SetClassLongW.USER32(?,000000F4,?), ref: 0042E3FB

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Cursor$Load$ClassLong
String ID:
API String ID: 2030254226-0
Opcode ID: 4b89ce16440c2151ac27989c85a22a6dce166be106d82c216efebc1163693206
Instruction ID: 821b4d2ece1473e6cfdde1bcbd1cef298f3fe2c5b4b10aec1d020f83d4ca76ca
Opcode Fuzzy Hash: 4b89ce16440c2151ac27989c85a22a6dce166be106d82c216efebc1163693206
Instruction Fuzzy Hash: BB419A34300651DFD320EB76D484F6BB3E5AB88354F548C2EF96A87341CB38E8418B6A

Function 00432880 Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047922F: GetFileSize.KERNEL32(?,?,?,?,?,?,004328DD,?,00000020,00000000,9F5E49E1), ref: 00479240
Part of subcall function 0047922F: GetLastError.KERNEL32(?,?,?,?,?,004328DD,?,00000020,00000000,9F5E49E1), ref: 00479255
Part of subcall function 0047922F: GetLastError.KERNEL32(?,?,?,?,?,?,004328DD,?,00000020,00000000,9F5E49E1), ref: 0047925E

GlobalAlloc.KERNEL32(00000022,00000000,?,00000020,00000000,9F5E49E1), ref: 004328E2
GlobalLock.KERNEL32(00000000), ref: 004328F6
GlobalFree.KERNEL32(00000000), ref: 00432903
GlobalUnlock.KERNEL32(00000000), ref: 00432931
GlobalFree.KERNEL32(00000000), ref: 00432950

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Global$ErrorFreeLast$AllocFileLockSizeUnlock
String ID:
API String ID: 3366443917-0
Opcode ID: 4b0d20983e86c4124a36f492200f73a2d6548019e999faef4b1e55c10d697a08
Instruction ID: 84b6b0bc59116d5a09d20fc1963e5cc95bdfa38048604fe579a7bcb0ff3c3264
Opcode Fuzzy Hash: 4b0d20983e86c4124a36f492200f73a2d6548019e999faef4b1e55c10d697a08
Instruction Fuzzy Hash: 8531E471A04218ABCB14EF95DD45FEEB7B8FF19710F00411EF816A3281DB385A05C765

Function 0042E4B0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,000000CC), ref: 0042E4E8
LoadCursorW.USER32(?,000000CB), ref: 0042E50D
SetCursor.USER32(?), ref: 0042E578
SetClassLongW.USER32(?,000000F4,?), ref: 0042E585

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Cursor$Load$ClassLong
String ID:
API String ID: 2030254226-0
Opcode ID: 3a8fa1bda79f3142087b5076ce44b595ba66acbba20c83e0cc33d13943b1f673
Instruction ID: b233eac45f8e6c2532397a3b87d88f961c00b52c8b94cb9ad607906e9aa52cd9
Opcode Fuzzy Hash: 3a8fa1bda79f3142087b5076ce44b595ba66acbba20c83e0cc33d13943b1f673
Instruction Fuzzy Hash: C631B274300250EFD620ABA5D444F6B73D4AB58358F148D2FF566C7351EB38E8818B1A

Function 00418570 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041859A
GetWindowRect.USER32(?,?), ref: 004185BD
GetParent.USER32(?), ref: 004185C7
InflateRect.USER32(00000001,00000001,00000001), ref: 004185F3
InflateRect.USER32(00000001,000000FF,000000FF), ref: 0041861F

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Rect$InflateWindow$Parent
String ID:
API String ID: 1237301043-0
Opcode ID: 58f1218d1ca154b21e39d43afd90dfcb838b4878e8e512a7a8a91f5f405a37e4
Instruction ID: 016733e46166ec26ceb743758fd2f50cb3da65fcfb16a91c44bad7b95ca7bf3f
Opcode Fuzzy Hash: 58f1218d1ca154b21e39d43afd90dfcb838b4878e8e512a7a8a91f5f405a37e4
Instruction Fuzzy Hash: 47214F71208301AFE704EB68DC59F7FB3E9FB84714F044A0DB55583290EBB4E9458BAA

Function 004B4538 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(00000000,0062FCC8,0000000C,0047704E,?,00004000,00000000,?,9F5E49E1,00000000,?,?,?,00425541,?,00005001), ref: 004B456C
GetLastError.KERNEL32(?,?,?,00425541,?,00005001,?,9F5E49E1), ref: 004B4576
__dosmaperr.LIBCMT ref: 004B457D
__alloc_osfhnd.LIBCMT ref: 004B459E
__set_osfhnd.LIBCMT ref: 004B45C8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 9b2cb763234e9811d0cf25dd4ca6e2be36f44dff63cb57d5f5fbf0b1314204b6
Instruction ID: d485ab050a4f125a33bd3b8265eb4cba1be85d0acb8ab5a88c35613afe631e4b
Opcode Fuzzy Hash: 9b2cb763234e9811d0cf25dd4ca6e2be36f44dff63cb57d5f5fbf0b1314204b6
Instruction Fuzzy Hash: 34214B30505A04ABCF219FA8D8053DE7B60AFC1324F18874AE5604B2E3C73D8541DFA9

Function 0046A07F Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0046A0C0
GetParent.USER32(?), ref: 0046A0D3
GetLastActivePopup.USER32(?), ref: 0046A0E4
IsWindowEnabled.USER32(?), ref: 0046A0F8
EnableWindow.USER32(?,00000000), ref: 0046A10B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ParentWindow$ActiveEnableEnabledLastPopup
String ID:
API String ID: 2630416829-0
Opcode ID: 79f32547c1ade2cfa3be01cc040501f73125db684f062d82dd248d72cdccd521
Instruction ID: ad6d8f87f55a717cfc6b6e52ee1e072459b57c37d9d690c2cc0f7bff9f6d0c0a
Opcode Fuzzy Hash: 79f32547c1ade2cfa3be01cc040501f73125db684f062d82dd248d72cdccd521
Instruction Fuzzy Hash: 7D110432601A2197CB311E299C48B6F769C6F65B60F150113EC00B7346FB28CC115ADB

Function 0042A910 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0042A942
GetNextDlgGroupItem.USER32(?,?,00000000), ref: 0042A970
PostMessageW.USER32(00000000,00000500,00000000,00000000), ref: 0042A986
GetNextDlgGroupItem.USER32(?,00000000,00000000), ref: 0042A990
InvalidateRect.USER32(?,00000000,00000001), ref: 0042A9A7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: GroupItemNext$InvalidateMessageParentPostRect
String ID:
API String ID: 337880142-0
Opcode ID: 35ddc60d715b0259cb739ea4dca27bf96214e5032adcd0d3c4b1f725c971891d
Instruction ID: 60bdb3f12d35103e879033fc192a2177302ffd8b42246ca69a0c4ce572c18962
Opcode Fuzzy Hash: 35ddc60d715b0259cb739ea4dca27bf96214e5032adcd0d3c4b1f725c971891d
Instruction Fuzzy Hash: E11129B27003216BD33187666C45F2BB798AB54710F5A0D1FFA8667280D664E890875E

Function 00438CD0 Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32 ref: 00438D21
_wcsncpy.LIBCMT ref: 00438D60
_wcsncpy.LIBCMT ref: 00438D73
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00438D82
Shell_NotifyIconW.SHELL32 ref: 00438DA9

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: IconNotifyShell_$_wcsncpy
String ID:
API String ID: 1582311519-0
Opcode ID: 76268ac068092fd3cd7fda4d95c22caff2195fe5bc0ae4b1db8be5d85302dd54
Instruction ID: 3d4282dcbf6b1d20a61b1300e5e3a8f928670a5a8381bfe57ad54e3b59fbafe8
Opcode Fuzzy Hash: 76268ac068092fd3cd7fda4d95c22caff2195fe5bc0ae4b1db8be5d85302dd54
Instruction Fuzzy Hash: 75215071254384ABE335EB55C882F9BB7ECEBD8700F00581EB24886181DBB46648CBA2

Function 00444AF7 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0000000A), ref: 00444B24
RtlEnterCriticalSection.NTDLL(?), ref: 00444B3C
RtlLeaveCriticalSection.NTDLL(?), ref: 00444B4D
OutputDebugStringW.KERNEL32(HHHH *&*^&^*&^*(&*& exit event), ref: 00444B6E
RtlEnterCriticalSection.NTDLL(?), ref: 00444BB0
RtlLeaveCriticalSection.NTDLL(?), ref: 00444BC9

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DebugMultipleObjectsOutputStringWait
String ID:
API String ID: 233558907-0
Opcode ID: fdda8f34a3ebf7164c60fac82d560daecef8d15ddb6ec60345313518a8b614d0
Instruction ID: e7c160db9417d99021d7225f21bd79b5e63d9489d9232fc461d23995eafba950
Opcode Fuzzy Hash: fdda8f34a3ebf7164c60fac82d560daecef8d15ddb6ec60345313518a8b614d0
Instruction Fuzzy Hash: 022184755007458FE720DF24DD8879AB7A5FF94311F00092EE84A97351D738F908CB59

Function 004C4DC3 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004C4DCF

Part of subcall function 004B699E: __getptd_noexit.LIBCMT ref: 004B69A1
Part of subcall function 004B699E: __amsg_exit.LIBCMT ref: 004B69AE

__amsg_exit.LIBCMT ref: 004C4DEF
__lock.LIBCMT ref: 004C4DFF
InterlockedDecrement.KERNEL32(?), ref: 004C4E1C
InterlockedIncrement.KERNEL32(03A117F0), ref: 004C4E47

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 84f18996bcc782b4036b285428d1e08b55746593a6f60b05edc80ecc1bf033e7
Instruction ID: 1820caeb5d21e5a31d69510650571e556a381ba0057c1da9d0a5d34ed32f007e
Opcode Fuzzy Hash: 84f18996bcc782b4036b285428d1e08b55746593a6f60b05edc80ecc1bf033e7
Instruction Fuzzy Hash: EE01A1399017129FD7A1AF6A9519B9E77A1BF81724F01010EF81467391CB3C6941CBE9

Function 00432E90 Relevance: 7.5, APIs: 5, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00432EA9
CancelIo.KERNEL32(?), ref: 00432EBB
closesocket.WS2_32(?), ref: 00432EC8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00432EE5
CloseHandle.KERNEL32(?), ref: 00432F00

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CancelCloseEventHandleObjectSingleWaitclosesocket
String ID:
API String ID: 3674394668-0
Opcode ID: 63443fa4d6ea9fb4afa56c107800f88a9bd986ce8e6deb3da36259eed3aee9e1
Instruction ID: a07a01122624e78b0381a1439b21127f47bbe7e69d66bdb28a99d2ed3de3bd36
Opcode Fuzzy Hash: 63443fa4d6ea9fb4afa56c107800f88a9bd986ce8e6deb3da36259eed3aee9e1
Instruction Fuzzy Hash: 63F07474504B01DBCA209F78DD4DBCBB7E8BB59332F105B0AE87AD63E0D774A8099A54

Function 00406640 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004066DA

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004068B6
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00406940

Strings

.seetrol.com, xrefs: 00406869

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$_memcpy_s
String ID: .seetrol.com
API String ID: 514064268-3786952694
Opcode ID: 4f6951e8d4ed14172754f62d26925c2d9ba050e6d84a090b6ae7bc09600c78bd
Instruction ID: 29ed97527ff18706426675082e3e83d46953f823c96349d8bf668715b5f227f2
Opcode Fuzzy Hash: 4f6951e8d4ed14172754f62d26925c2d9ba050e6d84a090b6ae7bc09600c78bd
Instruction Fuzzy Hash: FBB1B1702007428FD304DF29C855B2AB7E5EF85328F14866DF5669B3E2DB78E901CB95

Function 0043AB30 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 0042C540: ~_Task_impl.LIBCPMT ref: 0042C58E

~_Task_impl.LIBCPMT ref: 0043AB76

Part of subcall function 00466994: __EH_prolog3.LIBCMT ref: 0046699B

Part of subcall function 00431E10: CloseHandle.KERNEL32(?,9F5E49E1,?,?,00000000,004F9B96,000000FF,0000000F,00624758), ref: 00431E52
Part of subcall function 00431E10: ~_Task_impl.LIBCPMT ref: 00431EA2

Part of subcall function 0042B030: DeleteObject.GDI32(?), ref: 0042B071
Part of subcall function 0042B030: ~_Task_impl.LIBCPMT ref: 0042B140

~_Task_impl.LIBCPMT ref: 0043AC66

Part of subcall function 00466A52: __EH_prolog3.LIBCMT ref: 00466A59

~_Task_impl.LIBCPMT ref: 0043AC86

Part of subcall function 00474DBE: __EH_prolog3.LIBCMT ref: 00474DC5

Strings

, xrefs: 0043AB81

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Task_impl$H_prolog3$CloseDeleteHandleObject
String ID:
API String ID: 1965172688-3916222277
Opcode ID: 2d84f86eef486216fb1087bb07afce02d83a3e7b418458355d0e325da79c943a
Instruction ID: 1c817143a18abed9657a1be870a558b81b398fad3e573c732139b2b808e9bfd4
Opcode Fuzzy Hash: 2d84f86eef486216fb1087bb07afce02d83a3e7b418458355d0e325da79c943a
Instruction Fuzzy Hash: 84C1A130205B428FD345CB3CC545B96B7E1FFD9324F148A5DE0A9872A2DB34A909CBA3

Function 0044E740 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 212windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044E7E6

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Part of subcall function 00403A90: ~_Task_impl.LIBCPMT ref: 00403ACC

Strings

_latestcon_.txt, xrefs: 0044E991
SeetrolClient.exe, xrefs: 0044E9A2

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSendTask_impl_memcpy_s
String ID: SeetrolClient.exe$_latestcon_.txt
API String ID: 1795453245-1059547631
Opcode ID: afe7e7e2670f20eb1d67073e1d7893b9037c2ebf1166aca6363df26d00d02b9c
Instruction ID: 0b7efaec69120027f1955175cf422b3d712fc8d1723105b79bbb5ae0cc9d50a7
Opcode Fuzzy Hash: afe7e7e2670f20eb1d67073e1d7893b9037c2ebf1166aca6363df26d00d02b9c
Instruction Fuzzy Hash: 6081C4B02047409BD324EB26C856BDFBBE4BF85724F004A1EF195672C2DB796509CB9B

Function 004230D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

VarUdateFromDate.OLEAUT32 ref: 004231B9

Strings

Invalid DateTime, xrefs: 00423199, 004231F6

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DateFromUdate_memcpy_s
String ID: Invalid DateTime
API String ID: 765264550-2190634649
Opcode ID: 6c58f40a4a002ef9050a6b0f2cc7c6cad22d321e21ddc1bdc0497f8f3f5bf535
Instruction ID: 932bd5d4461085ad37d97b5f6deb86d45f29a5d76765b7df93c5cf645e47a041
Opcode Fuzzy Hash: 6c58f40a4a002ef9050a6b0f2cc7c6cad22d321e21ddc1bdc0497f8f3f5bf535
Instruction Fuzzy Hash: 7C519F716083119BD304DF66C805A6FFBE4BF88705F40482EF88196290EBBCDA44CB6A

Function 0043A689 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128fileCOMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 0043A739
FindNextFileA.KERNEL32(?,?), ref: 0043A812

Strings

%s%s, xrefs: 0043A72C
\, xrefs: 0043A70E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FileFindNext_sprintf
String ID: %s%s$\
API String ID: 893695531-180345413
Opcode ID: bf590431f03aa31cbb2c40e7159e9b4216cb58e1cffd0113cb30e5ad0352af08
Instruction ID: e7dda753176340a3783103296d4dee896644c75191ce3ffd9fa2d819271e25c2
Opcode Fuzzy Hash: bf590431f03aa31cbb2c40e7159e9b4216cb58e1cffd0113cb30e5ad0352af08
Instruction Fuzzy Hash: FD4107351483C24BC721DB24C9957E7BBE2AFDA308F08585ED8C58B341E73AC9598787

Function 00458A00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00458A88
_memset.LIBCMT ref: 00458A98

Part of subcall function 004DFEB0: _calloc.LIBCMT ref: 004DFED9

Part of subcall function 004DEA90: _realloc.LIBCMT ref: 004DEB45
Part of subcall function 004DEA90: _realloc.LIBCMT ref: 004DEB5B

Strings

Knowhow, xrefs: 00458B3B
Encoder, xrefs: 00458B40

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memset_realloc$_calloc
String ID: Encoder$Knowhow
API String ID: 2380231876-117754463
Opcode ID: ef17e56ccef6c5e38a5b161d2e786c3dd1e6bb3d72a429619fddc52c0b63a2d2
Instruction ID: 0f275d3e3235e5dc22f06d75e5a69c733061ac8112216994a340b465c1f6bfb3
Opcode Fuzzy Hash: ef17e56ccef6c5e38a5b161d2e786c3dd1e6bb3d72a429619fddc52c0b63a2d2
Instruction Fuzzy Hash: CF411DB1500704AFD764EF75C881BE7B7E8FB48314F00891FF99A92242EB74B5948B95

Function 00452AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,ZTitleTip,?), ref: 00452B40
LoadCursorW.USER32 ref: 00452B72

Part of subcall function 0046B976: __CxxThrowException@8.LIBCMT ref: 0046B98C
Part of subcall function 0046B976: __CxxThrowException@8.LIBCMT ref: 0046B9A8

GetDoubleClickTime.USER32 ref: 00452BAA

Strings

ZTitleTip, xrefs: 00452B3A, 00452B8D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Exception@8Throw$ClassClickCursorDoubleInfoLoadTime
String ID: ZTitleTip
API String ID: 3573195566-2167529048
Opcode ID: 2f9c07f1c17ff492e89dbe402b2368d3628df9b65a548fbfac91f0abd3aea55b
Instruction ID: 51df5e5d3dd2b2e8dcf630da685dad5de7e9477032076b3171e9fe32b7c19de2
Opcode Fuzzy Hash: 2f9c07f1c17ff492e89dbe402b2368d3628df9b65a548fbfac91f0abd3aea55b
Instruction Fuzzy Hash: 412159B05087419FC350DF2AC985A1BFBE4FB88B14F404A2FF999C22A0D77894088B56

Function 00412290 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 004122A3
LoadLibraryW.KERNEL32(?), ref: 004122B4
GetProcAddress.KERNEL32(00000000,ImageList_Draw), ref: 004122CE

Strings

ImageList_Draw, xrefs: 004122C8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Draw
API String ID: 310444273-2074868843
Opcode ID: ba9a85ef87849eed05a1397f898fef7313bb4a6a44b07e4039af6bccef87c7de
Instruction ID: cd4a565e0349ef787ac9518efa76c49dd63a61be5736a82b0f069ec72029358b
Opcode Fuzzy Hash: ba9a85ef87849eed05a1397f898fef7313bb4a6a44b07e4039af6bccef87c7de
Instruction Fuzzy Hash: 5DF0A475505B018FD760CF65D948A4BBBE8BB28711B00C85EE496C3B50E7B4E8A4CF14

Function 00412400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 00412416
LoadLibraryW.KERNEL32(?), ref: 00412427
GetProcAddress.KERNEL32(00000000,ImageList_GetImageInfo), ref: 00412441

Strings

ImageList_GetImageInfo, xrefs: 0041243B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_GetImageInfo
API String ID: 310444273-158344479
Opcode ID: 57125ed559af267eafbb02461a2bff67d4f07953ccf649e43c80997b893cdf53
Instruction ID: 3ccf76cfda6ee7e62be3ab57c309e6a14e182adfd1069be111c9a96a68e2f6b2
Opcode Fuzzy Hash: 57125ed559af267eafbb02461a2bff67d4f07953ccf649e43c80997b893cdf53
Instruction Fuzzy Hash: CAF0E275905B01CFD720CF75D948B8BBBE8AB28710F00C81EA49AC3650D674E884CF24

Function 00419000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 00419013
LoadLibraryW.KERNEL32(?), ref: 00419024
GetProcAddress.KERNEL32(00000000,ImageList_AddMasked), ref: 0041903E

Strings

ImageList_AddMasked, xrefs: 00419038

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_AddMasked
API String ID: 310444273-822293376
Opcode ID: c28a786e506baf7045fd803b680f1a9355a975300bf1c1352eaf12d492ddcda1
Instruction ID: bea086c2758108852bddfe9a844ce798e066a3cc7027fb370ef2d25afe2548d3
Opcode Fuzzy Hash: c28a786e506baf7045fd803b680f1a9355a975300bf1c1352eaf12d492ddcda1
Instruction Fuzzy Hash: 2AF0B775505B118FC720CF64C958A47BBF8AB28711F00881EE59AC3B50D735E884CB14

Function 004296F9 Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00429843
SendMessageW.USER32(?,0000004E,00000000,?), ref: 0042986E
IsWindow.USER32(?), ref: 00429874
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00429888

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$ParentWindow_memcpy_s
String ID:
API String ID: 2649260901-0
Opcode ID: cec9f2974a8c5cb2e53eb844963cf2dcaa60e0b9b60dcbfd730d42c34cf0c991
Instruction ID: 8ce653de805c4bb73084bb2978d6c9d73c2bdaae45d8dc31929150c51239c4b4
Opcode Fuzzy Hash: cec9f2974a8c5cb2e53eb844963cf2dcaa60e0b9b60dcbfd730d42c34cf0c991
Instruction Fuzzy Hash: 5551CFB12047818FD320DF68C881B6BB7E5FF89314F144A5EE1898B391DB38E845CB96

Function 0042CB60 Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(?,?,?,00000000), ref: 0042CB95
MoveToEx.GDI32(?,?,?,00000000), ref: 0042CBAB
LineTo.GDI32(?,?,?), ref: 0042CBD0
LineTo.GDI32(?,?,?), ref: 0042CBF0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: LineMove
String ID:
API String ID: 140169392-0
Opcode ID: a448801c9d36df3a3e2b5821d84f94a560dd01266da79efbd4b132e04b795661
Instruction ID: 9d22229f12c04aaa5ddedecffc7898936ed8f75051ccbd1dee161efc0f45aa1e
Opcode Fuzzy Hash: a448801c9d36df3a3e2b5821d84f94a560dd01266da79efbd4b132e04b795661
Instruction Fuzzy Hash: EE5108B1200705AFE368CB6ADC84F6BB7ADEB89744F00491DF59E83250DA74BC44CB64

Function 0045AE60 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,0045C27F,?,?,?), ref: 0045AEB4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a517d3bb6a067ca1cf3f836b788581ad7f271b0ddc7604ff36852ed4950f2cbb
Instruction ID: 7574983a21d8f48032a7cf3aa533ef902dd3fd221fa6867cac0c1aaabe64b582
Opcode Fuzzy Hash: a517d3bb6a067ca1cf3f836b788581ad7f271b0ddc7604ff36852ed4950f2cbb
Instruction Fuzzy Hash: 624182B25057009FD730DF2898C8A5BB7D8EB64326F108A2FF596C6641D374EC98DB26

Function 004E8920 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 004E896C

Part of subcall function 004B09DA: __calloc_impl.LIBCMT ref: 004B09EF

Part of subcall function 004EBDC0: _malloc.LIBCMT ref: 004EBDE0
Part of subcall function 004EBDC0: _malloc.LIBCMT ref: 004EBDF0
Part of subcall function 004EBDC0: __floor_pentium4.LIBCMT ref: 004EBE1E
Part of subcall function 004EBDC0: __ftol.LIBCMT ref: 004EBE26

_malloc.LIBCMT ref: 004E8A1C
_calloc.LIBCMT ref: 004E8A8A
_calloc.LIBCMT ref: 004E8A9E

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _calloc_malloc$__calloc_impl__floor_pentium4__ftol
String ID:
API String ID: 4192552949-0
Opcode ID: e780d4211eb7079fff42d7b9c6e302fac0d4929fe731689add854a68aa310f9a
Instruction ID: 1f1aa1914544bee9bf0fc8ea069a110eeed06a3ccc33459f24c79911fd12d6f2
Opcode Fuzzy Hash: e780d4211eb7079fff42d7b9c6e302fac0d4929fe731689add854a68aa310f9a
Instruction Fuzzy Hash: 5B5133B1A04B018FD320CF6AD984657FBE4FF88304F20896EE19A87661E775A465CF85

Function 004404C0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0044056E
RtlLeaveCriticalSection.NTDLL(?), ref: 0044059A
RtlEnterCriticalSection.NTDLL(?), ref: 004405EF
RtlLeaveCriticalSection.NTDLL(?), ref: 00440608

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: efb7da34c4f1137e9cba637984c6a044410c78e82ac7e9cfa50338bb80d25e28
Instruction ID: 6a61480cd8b20705113c5938508f8242311b9e2d6a64f34a4f9b1e75b57b5bf6
Opcode Fuzzy Hash: efb7da34c4f1137e9cba637984c6a044410c78e82ac7e9cfa50338bb80d25e28
Instruction Fuzzy Hash: F04171711006059BD724DF29C8889ABB7E5FF94305F04492EE94ACF742DB34E865CF64

Function 004CCD99 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004CCDCD
__isleadbyte_l.LIBCMT ref: 004CCE01
MultiByteToWideChar.KERNEL32(00000080,00000009,004AB33F,?,00000000,00000000,?,?,?,?,004AB33F), ref: 004CCE32
MultiByteToWideChar.KERNEL32(00000080,00000009,004AB33F,00000001,00000000,00000000,?,?,?,?,004AB33F), ref: 004CCEA0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 15938cd42133851bd101271b7ea7e027c28f01fd59fc1430d3b7c854d95f065d
Instruction ID: 715152ffabb0bfb5152e41dc8cdb513b65322bbf2c38cb0d1511417ae2c14e88
Opcode Fuzzy Hash: 15938cd42133851bd101271b7ea7e027c28f01fd59fc1430d3b7c854d95f065d
Instruction Fuzzy Hash: E831B135A00255EFDB60DF68C8C4EAE3FA5BF02310F1485AEE45A8B291D734D941DB58

Function 00418EF0 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000115,00000002,00000000), ref: 00418F31
PostMessageW.USER32(?,00000115,00000003,00000000), ref: 00418F62
PostMessageW.USER32(?,00000115,00000000,00000000), ref: 00418FA5
PostMessageW.USER32(?,00000115,00000001,00000000), ref: 00418FD2

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 57e3f71271db80beee1e1b650f4bacd57308f8a63ab120646fc7598c35144cf4
Instruction ID: f4e12e2feb14930cdc7cc289bf61b7b68365d9095c732ffef866dd060aac9f34
Opcode Fuzzy Hash: 57e3f71271db80beee1e1b650f4bacd57308f8a63ab120646fc7598c35144cf4
Instruction Fuzzy Hash: 0821F83234060557D668D17CEC87FAA238B57D8761F18462FF345CB3C1EA68E8425358

Function 0042F6C0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

mixerOpen.WINMM(?,?,00000000,00000000,00000000), ref: 0042F6F6
mixerGetLineInfoW.WINMM ref: 0042F741
mixerGetLineInfoW.WINMM(?,?,00000001), ref: 0042F780
mixerClose.WINMM(00000003), ref: 0042F7C3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: mixer$InfoLine$CloseOpen
String ID:
API String ID: 119350834-0
Opcode ID: 45752f39f7a071bec9b6375962ec72cb8aed64d47b29254985aea64b538ce14e
Instruction ID: 53ce30ba8df340858456f66dfa36767931eafc3cbf4abb788b7155e248760648
Opcode Fuzzy Hash: 45752f39f7a071bec9b6375962ec72cb8aed64d47b29254985aea64b538ce14e
Instruction Fuzzy Hash: A4315E766183119BC320DF24D851AAFB7F5FBD9740F80092EF59683250E7789948CB96

Function 004496BC Relevance: 6.1, APIs: 4, Instructions: 87sleepwindowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00444BF0: SendMessageW.USER32(?,00000080,00000001,?), ref: 00444C81
Part of subcall function 00444BF0: SendMessageW.USER32(?,00000080,00000000,?), ref: 00444C94
Part of subcall function 00444BF0: LoadIconW.USER32(?,000000C0), ref: 00444FEF

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004496D6
SetTimer.USER32(?,0000046C,00001B58,00000000), ref: 004497A2
InvalidateRect.USER32(?,00000000,00000001,00509080,00000001,00000001,0000043A,00000001,00000000,00000001), ref: 00449831
Sleep.KERNEL32(00000064), ref: 0044987F

Part of subcall function 00432E90: SetEvent.KERNEL32(?), ref: 00432EA9
Part of subcall function 00432E90: CancelIo.KERNEL32(?), ref: 00432EBB
Part of subcall function 00432E90: closesocket.WS2_32(?), ref: 00432EC8
Part of subcall function 00432E90: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00432EE5
Part of subcall function 00432E90: CloseHandle.KERNEL32(?), ref: 00432F00

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$CancelCloseEventHandleIconInvalidateLoadObjectRectSingleSleepTimerWaitclosesocket
String ID:
API String ID: 242367150-0
Opcode ID: 9361e57e713e781b84d1736a06852f1181cd45054368a518ae9412ce812c8cc4
Instruction ID: 6aed68d26ae6d63a0ff581ed506cfc18a8fdc19a00acab715387038575129dab
Opcode Fuzzy Hash: 9361e57e713e781b84d1736a06852f1181cd45054368a518ae9412ce812c8cc4
Instruction Fuzzy Hash: B031A470340B019BE324EB21C85ABEBB3E1AF94B04F10451EE59A576C1DBB96844CB5A

Function 004116D0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411770
GetVersionExW.KERNEL32 ref: 0041178B
GetVersionExW.KERNEL32(?), ref: 0041179E
SystemParametersInfoW.USER32(00000029,000001F8,?,00000000), ref: 004117CC

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Version$InfoParametersSystem_memset
String ID:
API String ID: 2178484409-0
Opcode ID: 1d2410f63655b1a61d01c280e1654c76f1cd48e820f96c9661077cb5a2da5784
Instruction ID: c1ea60687b9f245ee4118a75a0024b8106d08d85751b6219730b5ec94748b3be
Opcode Fuzzy Hash: 1d2410f63655b1a61d01c280e1654c76f1cd48e820f96c9661077cb5a2da5784
Instruction Fuzzy Hash: EA318EB11087458FE335DF15D895B9BB7F8FB48B04F40092EE186C7680DB78A6088BD6

Function 00452130 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

waveInUnprepareHeader.WINMM(?,?,00000020), ref: 0045215B
_memset.LIBCMT ref: 004521A3
waveInPrepareHeader.WINMM(?,?,00000020), ref: 0045222C
waveInAddBuffer.WINMM(?,?,00000020), ref: 0045224D

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$Header$BufferPrepareUnprepare_memset
String ID:
API String ID: 2335095203-0
Opcode ID: 0113b84b43e4b82f66ad4a36a2f625b9f2e501a0cc2946393a170991177a0eb2
Instruction ID: 544436edc80e3dcd85ea713d053c25df9ea38d7909cba6ed4cdfc4594f9be8e3
Opcode Fuzzy Hash: 0113b84b43e4b82f66ad4a36a2f625b9f2e501a0cc2946393a170991177a0eb2
Instruction Fuzzy Hash: 45314F74000B20CAD364CF39C444BF2B7F4EB49705F51855EE9AE8A282E775E54ADB90

Function 00414710 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00414725
SendMessageW.USER32(?,00000101,0000001B,?), ref: 0041474C
GetParent.USER32(?), ref: 00414774
SendMessageW.USER32(?,00000101,?,?), ref: 0041479A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 35d48325dd38552a6d2a3deae773d23240f2c6f953255deed5c40f75631b9b0d
Instruction ID: c40823f6e9a65a928c4553dd5de46c07caeadff898a306d7259774d396f7a5dc
Opcode Fuzzy Hash: 35d48325dd38552a6d2a3deae773d23240f2c6f953255deed5c40f75631b9b0d
Instruction Fuzzy Hash: 9401D6BA600310AFD614EB68D88CDEB7359ABE5304F084D0EF4698B291D778DC81C765

Function 00462974 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 00462984
GetTopWindow.USER32(00000000), ref: 004629C3
GetWindow.USER32(00000000,00000002), ref: 004629E1

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 40f986239d869844221cc9a76fb5f6a86a528177724ae46e8b030c06b214a8e5
Instruction ID: 76b3c438e15a2244b378f706af8359847846b146c28bcb41c9f51beb58af3bc6
Opcode Fuzzy Hash: 40f986239d869844221cc9a76fb5f6a86a528177724ae46e8b030c06b214a8e5
Instruction Fuzzy Hash: 03012D7210091ABBCF126F91DE05E9F3F26AF94350F044016FD0055161E77AC969EFAA

Function 0042A680 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0042A6A8
WindowFromPoint.USER32(?,?), ref: 0042A6B8
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0042A6E9
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0042A701

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$ClientFromPointScreenWindow
String ID:
API String ID: 3910757018-0
Opcode ID: 5e691b9400cb6bfea3d4e79063a5de3d2fbf9f21347f92741b51dd8679320a05
Instruction ID: c543132c2d7169429f39dd2461e4fc7e2ed42722c760cbd4d29e17eac76090d5
Opcode Fuzzy Hash: 5e691b9400cb6bfea3d4e79063a5de3d2fbf9f21347f92741b51dd8679320a05
Instruction Fuzzy Hash: 0B115B75314301AFD724DB24DC45F6BB7E5BBD8B11F04492EF48A82290D7B4E848DB62

Function 00444380 Relevance: 6.0, APIs: 4, Instructions: 46keyboardCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000017), ref: 00444388
GetKeyState.USER32(-00000002), ref: 00444396
GetClientRect.USER32(?,?), ref: 004443CD
PtInRect.USER32(?,?,?), ref: 004443EE

Part of subcall function 00444010: ClientToScreen.USER32(?,?), ref: 00444048
Part of subcall function 00444010: CreatePopupMenu.USER32 ref: 00444088
Part of subcall function 00444010: AppendMenuW.USER32(00000000,00000000,0000573F,00000000), ref: 00444102
Part of subcall function 00444010: AppendMenuW.USER32(00000000,00000000,00005740,00000000), ref: 0044412E
Part of subcall function 00444010: AppendMenuW.USER32(00000000,00000000,00005742,00000000), ref: 0044415A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Menu$Append$ClientRect$CreateMetricsPopupScreenStateSystem
String ID:
API String ID: 2773599413-0
Opcode ID: 8876870a2a4900beb462287094f8be71b4cde051feda2fc723ca8145aa543919
Instruction ID: 4e8d512ae1ba6b7ae828e5c0986639306b539ce7ee784bd961fb2985f1c7603a
Opcode Fuzzy Hash: 8876870a2a4900beb462287094f8be71b4cde051feda2fc723ca8145aa543919
Instruction Fuzzy Hash: D301A7713042015BD614EF28CC5AFAF77A8FBD4704F04490DF586C7291EA38D948C7A6

Function 00464E1E Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0,?,?,?,?,?,0045DD85,?,?,00403FEE,9F5E49E1), ref: 00464E44
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,0045DD85,?,?,00403FEE,9F5E49E1), ref: 00464E50
LockResource.KERNEL32(00000000,?,?,?,?,?,0045DD85,?,?,00403FEE,9F5E49E1), ref: 00464E5D
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,0045DD85,?,?,00403FEE,9F5E49E1), ref: 00464E79

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 32f22d353c27c0da929b4c1d296b023a0fb49ad5da74d7ff59934ab5e4ff5946
Instruction ID: 07a9c4deb84467de86c3b73f658dffc8c35b2f696eb70426c01ec111d6c8229c
Opcode Fuzzy Hash: 32f22d353c27c0da929b4c1d296b023a0fb49ad5da74d7ff59934ab5e4ff5946
Instruction Fuzzy Hash: C8F0A4323002016FCF115FE6DC8895F76ADABE1361B04403AFA05D7201FB79DC0496A9

Function 004840E4 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0063B3C8), ref: 0048411E
RtlInitializeCriticalSection.NTDLL(?), ref: 00484130
RtlLeaveCriticalSection.NTDLL(0063B3C8), ref: 0048413D
RtlEnterCriticalSection.NTDLL(?), ref: 0048414D

Part of subcall function 00464FBD: __CxxThrowException@8.LIBCMT ref: 00464FD3

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: e05fd6c22edc08195e880f8792578b7fc8fa5b9b3891b6dd8728c4db3d1aa6f0
Instruction ID: 4e08c70c313959e9bb2095f80a5c574b0af923d34830b30fb1032b2aa7f6ba42
Opcode Fuzzy Hash: e05fd6c22edc08195e880f8792578b7fc8fa5b9b3891b6dd8728c4db3d1aa6f0
Instruction Fuzzy Hash: 71F0C2326002299BDB102B99DC4D72FB66AEBF2315F012417E24486151D73899818BA9

Function 00432F40 Relevance: 6.0, APIs: 4, Instructions: 34networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00432F70
WSAStartup.WS2_32(00000202), ref: 00432F81
WSACleanup.WS2_32 ref: 00432F8B
WSACleanup.WS2_32 ref: 00432FAA

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Cleanup$Startup_memset
String ID:
API String ID: 966451001-0
Opcode ID: 02b04851db68088a923cbcf56cf8c639beb80c6b39ed238206fe963b1d90f616
Instruction ID: db64ba221f4252b5f1376e0eefb6dccf9dbb4b61a8964d7693ade67816bcdb93
Opcode Fuzzy Hash: 02b04851db68088a923cbcf56cf8c639beb80c6b39ed238206fe963b1d90f616
Instruction Fuzzy Hash: 51F04FB46182009FD324AB64D86EBABB3E0AFAD304F40491EA55A86181EA745449DA9B

Function 004C559F Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004C55AB

Part of subcall function 004B699E: __getptd_noexit.LIBCMT ref: 004B69A1
Part of subcall function 004B699E: __amsg_exit.LIBCMT ref: 004B69AE

__getptd.LIBCMT ref: 004C55C2
__amsg_exit.LIBCMT ref: 004C55D0
__lock.LIBCMT ref: 004C55E0

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: abfc530e374753709245dff198ca933e78f64ccb52194b576faa432b5b3d5709
Instruction ID: 6ac83d8b0da8b8c5299adbf529ab869bf6298b49395ef6c2c28e1f4bef1d3dd7
Opcode Fuzzy Hash: abfc530e374753709245dff198ca933e78f64ccb52194b576faa432b5b3d5709
Instruction Fuzzy Hash: 1FF06236A00B049BD7A0BB658402B9D33A16F40714F11420FB440673D6CF3C79418BA9

Function 00452050 Relevance: 6.0, APIs: 4, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

waveInReset.WINMM(?), ref: 00452067
Sleep.KERNEL32(0000000A), ref: 0045206F
waveInStop.WINMM(?), ref: 0045207C
waveInClose.WINMM(?), ref: 00452089

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: wave$CloseResetSleepStop
String ID:
API String ID: 2040944279-0
Opcode ID: e44df88b4bef63e5244d7a4cb3a40b9af9dfb757fed7f2109618c72d01f01d62
Instruction ID: 38c989e7e353711cbeed784b9f23ef574afd08b3f1d43a4315a129e1cab3978b
Opcode Fuzzy Hash: e44df88b4bef63e5244d7a4cb3a40b9af9dfb757fed7f2109618c72d01f01d62
Instruction Fuzzy Hash: 2AE0ED71211710CBD7649F75E84CFD777E4BB0A701F040909E55E86392CB75A488DB60

Function 004DF470 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 004DF4B4

Strings

vorbis, xrefs: 004DF47A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _calloc
String ID: vorbis
API String ID: 1679841372-2156734674
Opcode ID: b88325b5024ede30844a8bd430f2e5286f174c336ec509d98aa13297e7019d0e
Instruction ID: e154485b86cec621ada16c8f8b3a7a7f38c40520124906d95514a7a3f6509ed8
Opcode Fuzzy Hash: b88325b5024ede30844a8bd430f2e5286f174c336ec509d98aa13297e7019d0e
Instruction Fuzzy Hash: 1D7146716002075BD7309F69DC91B9B3395AF10348F24403BF906DA352E7BDE51B8BAA

Function 0041CB20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 0041CB54
_memcpy_s.LIBCMT ref: 0041CBB4

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

aHF, xrefs: 0041CB26, 0041CB53, 0041CBAE, 0041CBF4

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: _memcpy_s$_wcsnlen
String ID: aHF
API String ID: 4275631127-290150829
Opcode ID: ee6309cb61f41f81d2ce30222f925f228b81dcf528a89ecf8095a76456d5ba63
Instruction ID: e9a7226bd3788878abba16da9a699ed220dbe566ce199c58e7800add200f91fd
Opcode Fuzzy Hash: ee6309cb61f41f81d2ce30222f925f228b81dcf528a89ecf8095a76456d5ba63
Instruction Fuzzy Hash: 2521EE72A042158FC700DF6DEC88D9BB7E9EF85314B00856FF504EB216EA38EC458BA5

Function 0040E6B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

CreateFontW.GDI32(?,?,00000000,00000000,?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Tahoma), ref: 0040E71B

Strings

Tahoma, xrefs: 0040E6F2
hgP, xrefs: 0040E734, 0040E773, 0040E77C, 0040E738

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CreateFont
String ID: Tahoma$hgP
API String ID: 1830492434-1592135869
Opcode ID: 092d866e897bca8459adc80569ed959b113e0b43d4960b9d987a8439da796124
Instruction ID: ff6fcc29552105612e64af10e347975a172d7910c1074079eff4a7bde2a6eeb1
Opcode Fuzzy Hash: 092d866e897bca8459adc80569ed959b113e0b43d4960b9d987a8439da796124
Instruction Fuzzy Hash: 1B313271208740AFD204DF58C881F1AB7E9BB89724F104A0DF6959B2E0DB75A909CBA6

Function 00476FB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__fdopen.LIBCMT ref: 0047705A

Strings

+, xrefs: 00477008
t, xrefs: 0047703A

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __fdopen
String ID: +$t
API String ID: 194168367-1842947216
Opcode ID: 86f4c574e735030d586a2e3e98fbb68b69f05300137df87ea927daba2b0ec573
Instruction ID: e794b14a58f20389e54042187926639a4c9ea1f1561456021f4b582972cfb896
Opcode Fuzzy Hash: 86f4c574e735030d586a2e3e98fbb68b69f05300137df87ea927daba2b0ec573
Instruction Fuzzy Hash: 7B21043210C3809EEB119A39D4497E777C89B10328F64C92FF95DC62D2EB7CD885C669

Function 004341F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000080), ref: 0043428E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004F9CE9), ref: 004342B0

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

%16I64d, xrefs: 004342B8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseFileHandleSize_memcpy_s
String ID: %16I64d
API String ID: 2985586523-3600910408
Opcode ID: f92371e4d257e227f7da6020b4c347973bfb925e131b71ac9a03514ac8da85b1
Instruction ID: c57e5356cab48819ed64be11f82c46d97b3b6146da46b40823a04e09d80dabee
Opcode Fuzzy Hash: f92371e4d257e227f7da6020b4c347973bfb925e131b71ac9a03514ac8da85b1
Instruction Fuzzy Hash: 1021A172604350AFD350DF28CC89B5FBBE8FB89B60F104A1EF945D7291DA7899048A95

Function 00440D29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00440E8E
__endthread.LIBCMT ref: 00440F17

Strings

_st_ft_tmp.zip, xrefs: 00440E9B

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CloseHandle__endthread
String ID: _st_ft_tmp.zip
API String ID: 958611553-1049501217
Opcode ID: a0368b8daf57d63829b2e74b724a4e9092030445e2bb0eff35b10459fad12877
Instruction ID: 0e1b6ba1c543551c6abac3608eac7fb62f24c93480465ee7f866d2de04b83ff0
Opcode Fuzzy Hash: a0368b8daf57d63829b2e74b724a4e9092030445e2bb0eff35b10459fad12877
Instruction Fuzzy Hash: E23126715083818FD724DB28C855BDBB7E4AF95314F14066DE88C8B382D738A904CB97

Function 0043EE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004680C4: __EH_prolog3.LIBCMT ref: 004680CB
Part of subcall function 004680C4: GetWindowTextLengthW.USER32(?), ref: 004680DB

Part of subcall function 0047CA8F: SendMessageW.USER32(?,00000437,00000000,?), ref: 0047CAB0

SendMessageW.USER32(?,000000C2,00000000), ref: 0043EEC0
SendMessageW.USER32(?,0000043F,00000001,00000000), ref: 0043EF3E

Strings

\, xrefs: 0043EEE5

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend$H_prolog3LengthTextWindow
String ID: \
API String ID: 414047657-2967466578
Opcode ID: 03f1a793d4e4ebb9d1a9d7525e0bf08915b72efcea880e640b2e28ecda62c582
Instruction ID: 4248bbecf2880b6c8b258d409b49349c5f395ab8fe412403937908186b0ad4f3
Opcode Fuzzy Hash: 03f1a793d4e4ebb9d1a9d7525e0bf08915b72efcea880e640b2e28ecda62c582
Instruction Fuzzy Hash: 5821B175704704ABD714EF25C892B6BB3E5FB98704F00491DF64547381DB74A9048B96

Function 004E2E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 004E2E56
__ftol.LIBCMT ref: 004E2E92

Strings

Z&N, xrefs: 004E2EC5

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: __ftol
String ID: Z&N
API String ID: 495808979-3436223943
Opcode ID: 3461556b4a51363008e10994f3f1936ae6fd1c84741bc702b28c1f30f2441bc9
Instruction ID: cfbbb452ac01ad7c0f63d315c6003e8a7fd5ea5e347624fc549e280ee698ed1a
Opcode Fuzzy Hash: 3461556b4a51363008e10994f3f1936ae6fd1c84741bc702b28c1f30f2441bc9
Instruction Fuzzy Hash: 601152B1A05A04ABC3169F14D608296B7F1FFC4794F32C88CD48692365FB31D825CF86

Function 00406130 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040619E
_rand.LIBCMT ref: 004061AA

Part of subcall function 00403090: _memcpy_s.LIBCMT ref: 004030CA

Strings

%04d, xrefs: 004061B8

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: CountTick_memcpy_s_rand
String ID: %04d
API String ID: 764531380-1664496438
Opcode ID: 77491756c64bda602bb00f21621fcadcdff8d3eed33bed481a0f8e440e4bd7bc
Instruction ID: 1cc5d60739ba0a1621c30e56e34b3ae78f1d3ed7adff6e50eeeae33b36fbe924
Opcode Fuzzy Hash: 77491756c64bda602bb00f21621fcadcdff8d3eed33bed481a0f8e440e4bd7bc
Instruction Fuzzy Hash: A201D2B1208601AFE304EF28CC1AB2BB7E8FF48714F00892EF555D7391DB7898048B96

Function 004184D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,MFCGridCtrl,?), ref: 004184E7
LoadCursorW.USER32(00000000,00007F00), ref: 00418521

Part of subcall function 0046B976: __CxxThrowException@8.LIBCMT ref: 0046B98C
Part of subcall function 0046B976: __CxxThrowException@8.LIBCMT ref: 0046B9A8

Strings

MFCGridCtrl, xrefs: 004184E1, 0041853C

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Exception@8Throw$ClassCursorInfoLoad
String ID: MFCGridCtrl
API String ID: 3560186874-2589075856
Opcode ID: 81906d639b396d8cb1648487dfbafe8b04c12a7caa7db40dd1726e03a5c1c870
Instruction ID: 9f3a26d9fe08d693c2de213d972b30d656fbcea6c340ab3837823d91421a01d7
Opcode Fuzzy Hash: 81906d639b396d8cb1648487dfbafe8b04c12a7caa7db40dd1726e03a5c1c870
Instruction Fuzzy Hash: 24019270509301ABC300EF2AC88459FBBE8FFD8708F04481EF44893210E77895899B97

Function 00480E21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00480E28
HttpOpenRequestW.WININET(?,?,?,?,?,?,?,?), ref: 00480E5D

Strings

HTTP/1.0, xrefs: 00480E40

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: H_prolog3HttpOpenRequest
String ID: HTTP/1.0
API String ID: 3788906437-401229808
Opcode ID: a72e5b39b5a7a944fc3b9f4c19a4ecb09858c37318079730b8d065640fa80870
Instruction ID: 3e5abe26a18b8632ca27fd6bebdc8d16155af3287a0130b0bf808ffbfd86af7e
Opcode Fuzzy Hash: a72e5b39b5a7a944fc3b9f4c19a4ecb09858c37318079730b8d065640fa80870
Instruction Fuzzy Hash: A7017131100209AFDF61AF61C845AAF3B62EF18314F00881AFA1446251C739C961DF58

Function 0042A8B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0042A8E7
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0042A8FF

Strings

, xrefs: 0042A8BD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-3916222277
Opcode ID: aa85c1fbc9686ed8c1853f38e166e5cdb8264da61cfb90b2127793cf438505c2
Instruction ID: 8b0c5cf512aec90d0ab4051d7a1b60b6c4d4f5ef75beefc037a099a5833b61ae
Opcode Fuzzy Hash: aa85c1fbc9686ed8c1853f38e166e5cdb8264da61cfb90b2127793cf438505c2
Instruction Fuzzy Hash: 20F0E231740314ABE6309235AC82F7BB3D56B95760F55492FF58686180CAA4EC91DA16

Function 0045E3D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045E3FA
GetVersionExA.KERNEL32(?), ref: 0045E413

Strings

?E, xrefs: 0045E419

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: Version_memset
String ID: ?E
API String ID: 963298953-4069545443
Opcode ID: 3d157a7e2f66264ece0e19dc1badc30dbeba90e9b5e10d3425f369b9c7c0a13a
Instruction ID: 014d801597f8e6e177caea416cda29e078b60cc05e3469efbcc31a36dd1f64ce
Opcode Fuzzy Hash: 3d157a7e2f66264ece0e19dc1badc30dbeba90e9b5e10d3425f369b9c7c0a13a
Instruction Fuzzy Hash: 69F065B591020C9FDB60DB70DD4AB8EB7B8EB15304F5140A9990ED2283EA749A8CDB81

Function 004511C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(TIMER_ID_REFRESH_TRAY ----------- exception caught.), ref: 004511CC
PostMessageW.USER32(?,00002FF7,00000000,0000000B), ref: 004511E2

Strings

TIMER_ID_REFRESH_TRAY ----------- exception caught., xrefs: 004511C7

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DebugMessageOutputPostString
String ID: TIMER_ID_REFRESH_TRAY ----------- exception caught.
API String ID: 3755657964-1450078925
Opcode ID: 1a6f39e69769bf01e66910682cf07df2655a0378ecc187759c8e5cc7f619b2be
Instruction ID: 9b79a6f813840619f7910ede7214ed39e00d2a5b128ccac75e4d84f5d0809652
Opcode Fuzzy Hash: 1a6f39e69769bf01e66910682cf07df2655a0378ecc187759c8e5cc7f619b2be
Instruction Fuzzy Hash: B7C012747403025BD7505B94CC4FF1DB624BB48B41F504560FA00DA2D1C77494449654

Function 004340F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(RelayWorkThread Exception Manager $%%^^$$%%^*********............), ref: 00434109

Strings

RelayWorkThread Exception Manager $%%^^$$%%^*********............, xrefs: 00434104
RelayWorkThread Exception Client $%%^^$$%%^*********............, xrefs: 004340FD

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: DebugOutputString
String ID: RelayWorkThread Exception Client $%%^^$$%%^*********............$RelayWorkThread Exception Manager $%%^^$$%%^*********............
API String ID: 1166629820-2895478021
Opcode ID: 46bee1c3f210461a08c94a47b80a7842808da4f905be06c703e18e1ded6ff0d2
Instruction ID: 77545bfb4a24a9b7082469a468503859cbde251b81171293a28f4d28a8ed7c8c
Opcode Fuzzy Hash: 46bee1c3f210461a08c94a47b80a7842808da4f905be06c703e18e1ded6ff0d2
Instruction Fuzzy Hash: B2C0123895071456CF1497408C5E4DC27207BA8314F801016A001751D097992CC0D69B

Function 00464FA1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00464FB7

Part of subcall function 004AD7AD: RaiseException.KERNEL32(?,?,?,?), ref: 004AD7EF

Strings

D&Q, xrefs: 00464FB0
^c, xrefs: 00464FAC, 00464FAF

Memory Dump Source

Source File: 00000003.00000002.3341819228.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3341806658.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000526000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000538000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000541000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000054E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000557000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000560000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000056A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000574000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000057E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000599000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005A2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005B5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005BE000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.00000000005C7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000607000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.0000000000635000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000063F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3341819228.000000000071E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342212696.0000000000722000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3342225130.0000000000723000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SeetrolClient.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: D&Q$^c
API String ID: 3976011213-2439097326
Opcode ID: 4fea2a6a3c8abbb6584d55623cb7d7c47248527b6764e8b9f0d044bbb328a7cc
Instruction ID: 13d2c85d24b0b3798e6f0e029f338430e6fd35f3df35ec20842ccb05d51974fe
Opcode Fuzzy Hash: 4fea2a6a3c8abbb6584d55623cb7d7c47248527b6764e8b9f0d044bbb328a7cc
Instruction Fuzzy Hash: 0CC02B7480020CFB434CEFC2CE0BC4E7BAEE5C0740F600004B11883000E7B06F084670

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\seetrol\client\068\dfmirage.cat

C:\Program Files (x86)\seetrol\client\068\dfmirage.dll

C:\Program Files (x86)\seetrol\client\068\dfmirage.inf

C:\Program Files (x86)\seetrol\client\068\dfmirage.sys

C:\Program Files (x86)\seetrol\client\105\dfmirage.cat

C:\Program Files (x86)\seetrol\client\105\dfmirage.inf

C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.dll

C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys

C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.dll

C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys

C:\Program Files (x86)\seetrol\client\Install.cmd

C:\Program Files (x86)\seetrol\client\MirrInst32.exe

C:\Program Files (x86)\seetrol\client\MirrInst64.exe

C:\Program Files (x86)\seetrol\client\STClientChat.exe

C:\Program Files (x86)\seetrol\client\STUpdate.exe

C:\Program Files (x86)\seetrol\client\SeetrolClient.cfg

Windows Analysis Report
file.exe

Function 010026E2 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 268
stringmemoryCOMMON

Function 0100456A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
COMMON

Function 010052D4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 96
stringCOMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre