Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Analysis ID:1552474
MD5:d259c61b387fcd39b3ab83dd9ee1fc26
SHA1:e53aea122c350a2e569dfaa587cfe5af6c3fb0a4
SHA256:616ed7e97dd87be83b59ad3fa6df8285f35b62dbe913e8d73b1ea798a6021261
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-08T20:24:23.702958+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749734TCP
2024-11-08T20:25:02.810657+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749952TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb+T source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 4x nop then lea ecx, dword ptr [ebp-000000BCh]0_2_08D49F11
Source: global trafficHTTP traffic detected: GET /public/F_list.ini HTTP/1.1Host: 159.100.29.29Connection: Keep-Alive
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49734
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49952
Source: unknownTCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknownTCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknownTCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknownTCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknownTCP traffic detected without corresponding DNS query: 159.100.29.29
Source: global trafficHTTP traffic detected: GET /public/F_list.ini HTTP/1.1Host: 159.100.29.29Connection: Keep-Alive
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.100.29.29
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.100.29.29/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.100.29.29/public/F_list.ini
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.100.29.29/public/F_list.iniP
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.100.29.29d
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://80.78.246.154
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://80.78.246.154/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeString found in binary or memory: http://80.78.246.154/public/9http://159.100.29.29/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3698526052.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.78.246.154/public/F_list.ini
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://80.78.246.154/public/F_list.iniP
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058D5E600_2_058D5E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058D63580_2_058D6358
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_08D488F00_2_08D488F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_08D496880_2_08D49688
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_08D488E00_2_08D488E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_08D4967C0_2_08D4967C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_093A61F00_2_093A61F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_093A22A40_2_093A22A4
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000000.1232812011.0000000000A32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePlugMan.exe0 vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3698526052.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeBinary or memory string: OriginalFilenamePlugMan.exe0 vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: classification engineClassification label: mal52.winEXE@1/1@0/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeFile created: C:\Users\user\AppData\Roaming\BimStepJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeMutant created: NULL
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeSection loaded: dnsapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb+T source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: 0xFF0CC677 [Thu Aug 6 18:41:59 2105 UTC]
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058D87C8 pushfd ; ret 0_2_058D87D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058D9F18 pushfd ; iretd 0_2_058D9F19
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058D1B8F push eax; mov dword ptr [esp], edx0_2_058D1BA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeCode function: 0_2_058DA380 push eax; ret 0_2_058DA393
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeStatic PE information: section name: .text entropy: 7.458103899462974
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599765Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599623Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599359Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599119Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599014Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598903Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598795Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598687Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598570Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598468Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598345Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598206Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598076Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597960Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597845Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597716Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597610Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597492Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597376Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597235Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597096Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596956Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596828Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596679Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596570Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596465Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596345Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596216Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596101Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595986Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595851Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595735Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595626Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595504Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595365Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595249Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595133Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595018Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594880Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594763Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594648Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594547Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594431Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594316Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594183Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593958Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593840Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593721Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeWindow / User API: threadDelayed 6575Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeWindow / User API: threadDelayed 3216Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -37815825351104557s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599765s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599623s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599359s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599119s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -599014s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598903s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598795s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598687s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598570s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598468s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598345s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598206s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -598076s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597960s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597845s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597716s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597610s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597492s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597376s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597235s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -597096s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596956s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596679s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596570s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596465s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596345s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596216s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -596101s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595986s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595851s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595735s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595626s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595504s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595365s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595249s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595133s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -595018s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594880s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594763s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594648s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594431s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594316s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -594183s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -593958s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -593840s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 6936Thread sleep time: -593721s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599765Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599623Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599359Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599119Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 599014Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598903Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598795Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598687Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598570Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598468Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598345Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598206Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 598076Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597960Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597845Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597716Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597610Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597492Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597376Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597235Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 597096Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596956Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596828Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596679Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596570Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596465Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596345Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596216Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 596101Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595986Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595851Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595735Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595626Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595504Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595365Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595249Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595133Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 595018Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594880Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594763Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594648Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594547Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594431Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594316Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 594183Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593958Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593840Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeThread delayed: delay time: 593721Jump to behavior
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3701271760.0000000008796000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe29%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://80.78.246.154/public/0%Avira URL Cloudsafe
http://159.100.29.29/public/F_list.ini0%Avira URL Cloudsafe
http://80.78.246.154/public/F_list.ini0%Avira URL Cloudsafe
http://159.100.29.29/public/0%Avira URL Cloudsafe
http://80.78.246.154/public/9http://159.100.29.29/public/0%Avira URL Cloudsafe
http://159.100.29.29d0%Avira URL Cloudsafe
http://80.78.246.1540%Avira URL Cloudsafe
http://80.78.246.154/public/F_list.iniP0%Avira URL Cloudsafe
http://159.100.29.290%Avira URL Cloudsafe
http://159.100.29.29/public/F_list.iniP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://159.100.29.29/public/F_list.inifalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://159.100.29.29dSecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EB3000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://80.78.246.154/public/9http://159.100.29.29/public/SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exefalse
  • Avira URL Cloud: safe
unknown
http://80.78.246.154/public/F_list.iniSecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3698526052.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://80.78.246.154/public/F_list.iniPSecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://80.78.246.154SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E7F000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002E7F000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://159.100.29.29SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EA0000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://80.78.246.154/public/SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://159.100.29.29/public/F_list.iniPSecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002EB3000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://159.100.29.29/public/SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3699554461.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    80.78.246.154
    		unknownRussian Federation
    		43146AGAVA3RUfalse
    159.100.29.29
    		unknownGermany
    		203833AT-FIRSTCOLOAustriaATfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1552474
    Start date and time:2024-11-08 20:23:07 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 18s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:17
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    Detection:MAL
    Classification:mal52.winEXE@1/1@0/2
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 98%
    • Number of executed functions: 41
    • Number of non-executed functions: 2
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240000 for current running targets taking high CPU consumption

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • VT rate limit hit for: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    14:24:03API Interceptor11858980x Sleep call for process: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    AGAVA3RUhttp://puzzlewood.netGet hashmaliciousUnknownBrowse
    • 89.108.119.28
    yakov.mips.elfGet hashmaliciousMiraiBrowse
    • 89.108.102.237
    http://www.goo.su/c1Rnox/Get hashmaliciousUnknownBrowse
    • 89.108.119.43
    https://dolshepsi.ru/assets/images/dh/GlobalSources/index.php/Get hashmaliciousHTMLPhisherBrowse
    • 89.108.85.64
    http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
    • 89.108.119.28
    http://www.goo.su/fJu2F/Get hashmaliciousUnknownBrowse
    • 89.108.120.68
    http://vidaliaonion.orgGet hashmaliciousUnknownBrowse
    • 89.108.120.76
    http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
    • 89.108.119.43
    https://lenta.ru/articles/2023/01/13/darkpr/Get hashmaliciousHTMLPhisherBrowse
    • 89.108.120.68
    http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
    • 89.108.119.28
    AT-FIRSTCOLOAustriaATboatnet.mips.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    YIztve8dU8.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    fSLSu3PQPC.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    3kMnPQIVHR.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    F4ged15cJ3.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    cZlRw8OG35.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    j0GmmzdQRz.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    VWpmyBcWBO.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    KBW66LEndt.elfGet hashmaliciousMiraiBrowse
    • 79.133.46.243
    https://sothebys.us.com/ja4DCams2APwoTx4RAl4DCB4GI1AoTxp4RAoTx4DCuctsz01nQ3EtGet hashmaliciousHTMLPhisherBrowse
    • 79.133.57.143

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Roaming\BimStep\Settings.cfg

    Download File
    Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.2359263506290334
    Encrypted:false
    SSDEEP:3:Bcn:+
    MD5:5EFAD9751B81AC353C2774A58A0BE0FD
    SHA1:D5D6BFFDFA7D7B10B37AB8A099A3BAC6DCFA8684
    SHA-256:52F0327ECD5E40CF50C393FB2D09C7CA0B5CC2E4B757A26CDD02CA4258A1DFEF
    SHA-512:FC21C7726E766B808A3F5746ACD281D00C473177857BF18B5463926505472E9AE62CCE5D25E95396501B89521454AD8DD184458E320974C4421EF8E2DF9D186F
    Malicious:false
    Reputation:low
    Preview:Language..RU..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):7.43497282842813
    TrID:
    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    • Win32 Executable (generic) a (10002005/4) 49.75%
    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
    • Windows Screen Saver (13104/52) 0.07%
    • Generic Win/DOS Executable (2004/3) 0.01%
    File name:SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    File size:278'528 bytes
    MD5:d259c61b387fcd39b3ab83dd9ee1fc26
    SHA1:e53aea122c350a2e569dfaa587cfe5af6c3fb0a4
    SHA256:616ed7e97dd87be83b59ad3fa6df8285f35b62dbe913e8d73b1ea798a6021261
    SHA512:c861ad697fc9b76d0cabb9cc0411523f2bd0ccffd0b381217b49eb28fbd0af9f4fb6417ee4998556befde590fc092294ea68398fe61f5a30b3bb68dc44629bc0
    SSDEEP:6144:15eNsZqK0jLVDdlqIcGFJsVgLbZOvoHizVKoSi2MGGf:DMscNdq8CmZWoHoVFSi2MG
    TLSH:DE44CF063660CE5EEFFD03F1D8E526D213AC881AC615E25FBDF238A979B97804604D67
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w............."...0..6..........VT... ...`....@.. ....................................`................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x445456
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0xFF0CC677 [Thu Aug 6 18:41:59 2105 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

    Entrypoint Preview

    Instruction
    jmp dword ptr [00402000h]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x454030x4f.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x453640x38.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000x4345c0x436008374dec81e1e40c2bd1ae14172aad4efFalse0.6088713184137291data7.458103899462974IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x460000x59c0x60051dab4d518e89fe237ea8853abb2ea72False0.4108072916666667data4.0542235385711605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x480000xc0x200d1a6f9453fa95b027d3c98aec16b7030False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x460900x30cdata0.4230769230769231
    RT_MANIFEST0x463ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    mscoree.dll_CorExeMain

    Network Behavior

    Suricata IDS Alerts

    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
    2024-11-08T20:24:23.702958+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.749734TCP
    2024-11-08T20:25:02.810657+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.749952TCP

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 8, 2024 20:24:03.850455046 CET4970180192.168.2.780.78.246.154
    Nov 8, 2024 20:24:03.855309963 CET804970180.78.246.154192.168.2.7
    Nov 8, 2024 20:24:03.855458975 CET4970180192.168.2.780.78.246.154
    Nov 8, 2024 20:24:03.856230021 CET4970180192.168.2.780.78.246.154
    Nov 8, 2024 20:24:03.861057997 CET804970180.78.246.154192.168.2.7
    Nov 8, 2024 20:24:04.341109037 CET4970180192.168.2.780.78.246.154
    Nov 8, 2024 20:24:04.371886015 CET4970280192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.379713058 CET8049702159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:04.379811049 CET4970280192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.379903078 CET4970280192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.385317087 CET8049702159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:04.390897036 CET804970180.78.246.154192.168.2.7
    Nov 8, 2024 20:24:04.501286030 CET804970180.78.246.154192.168.2.7
    Nov 8, 2024 20:24:04.501533031 CET4970180192.168.2.780.78.246.154
    Nov 8, 2024 20:24:04.915206909 CET4970280192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.942615986 CET4970380192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.947585106 CET8049703159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:04.947693110 CET4970380192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.950237989 CET4970380192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:04.955329895 CET8049703159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:04.962399006 CET8049702159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:04.993340969 CET4970380192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:05.001796961 CET8049702159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:05.001863956 CET4970280192.168.2.7159.100.29.29
    Nov 8, 2024 20:24:05.046458960 CET8049703159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:05.543004036 CET8049703159.100.29.29192.168.2.7
    Nov 8, 2024 20:24:05.543057919 CET4970380192.168.2.7159.100.29.29

    HTTP Request Dependency Graph

    • 159.100.29.29

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.74970180.78.246.154806688C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    TimestampBytes transferredDirectionData
    Nov 8, 2024 20:24:03.856230021 CET81OUTHEAD /public/F_list.ini HTTP/1.1
    Host: 80.78.246.154
    Connection: Keep-Alive


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.749702159.100.29.29806688C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    TimestampBytes transferredDirectionData
    Nov 8, 2024 20:24:04.379903078 CET81OUTHEAD /public/F_list.ini HTTP/1.1
    Host: 159.100.29.29
    Connection: Keep-Alive


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    2192.168.2.749703159.100.29.29806688C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    TimestampBytes transferredDirectionData
    Nov 8, 2024 20:24:04.950237989 CET80OUTGET /public/F_list.ini HTTP/1.1
    Host: 159.100.29.29
    Connection: Keep-Alive


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:14:24:02
    Start date:08/11/2024
    Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe"
    Imagebase:0xa30000
    File size:278'528 bytes
    MD5 hash:D259C61B387FCD39B3AB83DD9EE1FC26
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:10.6%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:2%
      Total number of Nodes:205
      Total number of Limit Nodes:13
      execution_graph 40993 93a589b 40994 93a58ae 40993->40994 40998 93a5b80 PostMessageW 40994->40998 41000 93a5b51 40994->41000 40995 93a58d1 40999 93a5bec 40998->40999 40999->40995 41001 93a5b80 PostMessageW 41000->41001 41002 93a5bec 41001->41002 41002->40995 41003 93a2018 41004 93a2025 41003->41004 41008 93a2038 41004->41008 41013 93a2048 41004->41013 41005 93a2034 41009 93a2058 41008->41009 41018 8d4ecc0 SendMessageW 41009->41018 41020 8d4ecbd SendMessageW 41009->41020 41010 93a2069 41010->41005 41014 93a2058 41013->41014 41016 8d4ecc0 SendMessageW 41014->41016 41017 8d4ecbd SendMessageW 41014->41017 41015 93a2069 41015->41005 41016->41015 41017->41015 41019 8d4ed2c 41018->41019 41019->41010 41021 8d4ed2c 41020->41021 41021->41010 41184 93a5c58 41185 93a5f60 41184->41185 41186 93a5c80 41184->41186 41187 93a5c89 41186->41187 41190 93a43a4 41186->41190 41189 93a5cac 41191 93a43af 41190->41191 41193 93a5fa3 41191->41193 41194 93a43c0 41191->41194 41193->41189 41195 93a5fd8 OleInitialize 41194->41195 41196 93a603c 41195->41196 41196->41193 41197 93a1cd8 41199 93a1cfc 41197->41199 41198 93a1e49 41199->41198 41203 93a20b8 SendMessageW 41199->41203 41205 93a20b4 41199->41205 41208 93a2144 41199->41208 41204 93a2124 41203->41204 41204->41198 41206 93a20b8 SendMessageW 41205->41206 41207 93a2124 41206->41207 41207->41198 41209 93a2102 SendMessageW 41208->41209 41210 93a2152 41208->41210 41212 93a2124 41209->41212 41212->41198 41022 12e4668 41023 12e4684 41022->41023 41024 12e4794 41023->41024 41025 12e4761 41023->41025 41029 12e54c9 41023->41029 41034 8d4bc61 41024->41034 41038 8d4bc70 41024->41038 41030 12e54ed 41029->41030 41042 12e59e0 41030->41042 41046 12e59d1 41030->41046 41035 8d4bc82 41034->41035 41054 8d4b0cc 41035->41054 41039 8d4bc82 41038->41039 41040 8d4b0cc 3 API calls 41039->41040 41041 8d4bca2 41040->41041 41041->41025 41043 12e5a07 41042->41043 41044 12e5ae4 41043->41044 41050 12e4648 41043->41050 41048 12e59e0 41046->41048 41047 12e5ae4 41047->41047 41048->41047 41049 12e4648 CreateActCtxA 41048->41049 41049->41047 41051 12e6a70 CreateActCtxA 41050->41051 41053 12e6b33 41051->41053 41056 8d4b0d7 41054->41056 41058 8d4b10c 41056->41058 41057 8d4bdb4 41057->41057 41059 8d4b117 41058->41059 41063 8d4c2ce 41059->41063 41064 8d4c462 41059->41064 41067 8d4bf68 41059->41067 41060 8d4bf68 KiUserCallbackDispatcher 41061 8d4c428 41060->41061 41061->41064 41072 93a61f0 41061->41072 41077 93a61df 41061->41077 41063->41060 41063->41061 41064->41057 41068 8d4bf73 41067->41068 41069 8d4c664 41068->41069 41082 8d4c667 41068->41082 41086 8d4c678 41068->41086 41069->41063 41073 93a6255 41072->41073 41074 93a4420 PeekMessageW 41073->41074 41076 93a62a2 41073->41076 41094 93a446c 41073->41094 41074->41073 41076->41064 41081 93a61f0 41077->41081 41078 93a4420 PeekMessageW 41078->41081 41079 93a62a2 41079->41064 41080 93a446c DispatchMessageW 41080->41081 41081->41078 41081->41079 41081->41080 41083 8d4c69e 41082->41083 41084 8d4c6b2 41083->41084 41090 12ef7a0 41083->41090 41084->41069 41088 8d4c69e 41086->41088 41087 8d4c6b2 41087->41069 41088->41087 41089 12ef7a0 KiUserCallbackDispatcher 41088->41089 41089->41087 41091 12ef7ce 41090->41091 41092 12ef89a KiUserCallbackDispatcher 41091->41092 41093 12ef89f 41091->41093 41092->41093 41095 93a6fe0 DispatchMessageW 41094->41095 41096 93a704c 41095->41096 41096->41073 41166 12eea78 41167 12eeabe 41166->41167 41170 12eec58 41167->41170 41173 12ee380 41170->41173 41174 12eecc0 DuplicateHandle 41173->41174 41175 12eebab 41174->41175 41213 93a0240 41214 93a0285 GetClassInfoW 41213->41214 41216 93a02cb 41214->41216 40961 8d4b44f 40962 8d4b426 40961->40962 40963 8d4b453 40961->40963 40963->40962 40966 58d71b5 40963->40966 40970 58d71c0 40963->40970 40967 58d71b8 Shell_NotifyIconW 40966->40967 40969 58d7296 40967->40969 40971 58d71c5 Shell_NotifyIconW 40970->40971 40973 58d7296 40971->40973 40957 8d4da58 40958 8d4daa0 SetWindowTextW 40957->40958 40959 8d4da9a 40957->40959 40960 8d4dad1 40958->40960 40959->40958 40974 8d4b8c8 40978 8d4b8f0 40974->40978 40982 8d4b8e0 40974->40982 40981 8d4b91e 40978->40981 40979 8d4b9a9 40979->40979 40981->40979 40986 8d4b020 40981->40986 40985 8d4b91e 40982->40985 40983 8d4b9a9 40983->40983 40984 8d4b020 SetTimer 40984->40983 40985->40983 40985->40984 40987 8d4b02b 40986->40987 40989 8d4bab0 40987->40989 40990 8d4b050 40987->40990 40989->40979 40991 8d4bbd0 SetTimer 40990->40991 40992 8d4bc3c 40991->40992 40992->40989 41097 8d4ca18 41099 8d4ca51 41097->41099 41098 8d4cb65 41136 8d43248 41098->41136 41140 8d43239 41098->41140 41112 8d432f0 41099->41112 41120 8d433d9 41099->41120 41128 8d43300 41099->41128 41100 8d4cc85 41146 8d43220 41100->41146 41151 8d43210 41100->41151 41101 8d4ccec 41102 8d4cb6d 41102->41100 41107 8d4b050 SetTimer 41102->41107 41144 8d4bbc8 SetTimer 41102->41144 41107->41100 41115 8d432f9 41112->41115 41113 8d4341c 41113->41098 41114 8d43402 41118 8d4ec88 2 API calls 41114->41118 41119 8d4ec78 2 API calls 41114->41119 41115->41113 41115->41114 41156 8d4ec88 41115->41156 41161 8d4ec78 41115->41161 41118->41113 41119->41113 41121 8d433de 41120->41121 41122 8d43402 41121->41122 41126 8d4ec88 2 API calls 41121->41126 41127 8d4ec78 2 API calls 41121->41127 41124 8d4ec88 2 API calls 41122->41124 41125 8d4ec78 2 API calls 41122->41125 41123 8d4341c 41123->41098 41124->41123 41125->41123 41126->41122 41127->41122 41131 8d43329 41128->41131 41129 8d4341c 41129->41098 41130 8d43402 41134 8d4ec88 2 API calls 41130->41134 41135 8d4ec78 2 API calls 41130->41135 41131->41129 41131->41130 41132 8d4ec88 2 API calls 41131->41132 41133 8d4ec78 2 API calls 41131->41133 41132->41130 41133->41130 41134->41129 41135->41129 41137 8d43259 41136->41137 41138 8d43278 41137->41138 41139 8d43264 KiUserCallbackDispatcher 41137->41139 41138->41102 41139->41138 41141 8d43259 41140->41141 41142 8d43278 41141->41142 41143 8d43264 KiUserCallbackDispatcher 41141->41143 41142->41102 41143->41142 41145 8d4bc3c 41144->41145 41145->41100 41147 8d4322d 41146->41147 41149 8d43248 KiUserCallbackDispatcher 41147->41149 41150 8d43239 KiUserCallbackDispatcher 41147->41150 41148 8d43234 41148->41101 41149->41148 41150->41148 41152 8d4322d 41151->41152 41154 8d43248 KiUserCallbackDispatcher 41152->41154 41155 8d43239 KiUserCallbackDispatcher 41152->41155 41153 8d43234 41153->41101 41154->41153 41155->41153 41157 8d4ec98 41156->41157 41159 8d4ecc0 SendMessageW 41157->41159 41160 8d4ecbd SendMessageW 41157->41160 41158 8d4eca9 41158->41114 41159->41158 41160->41158 41162 8d4ec98 41161->41162 41164 8d4ecc0 SendMessageW 41162->41164 41165 8d4ecbd SendMessageW 41162->41165 41163 8d4eca9 41163->41114 41164->41163 41165->41163 41176 12ec6f0 41177 12ec6ff 41176->41177 41179 12ec7d8 41176->41179 41180 12ec81c 41179->41180 41181 12ec7f9 41179->41181 41180->41177 41181->41180 41182 12eca20 GetModuleHandleW 41181->41182 41183 12eca4d 41182->41183 41183->41177

      Executed Functions

      Function 058D5E60 Relevance: 6.9, Strings: 5, Instructions: 618COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 294 58d5e60-58d6390 298 58d6396-58d639b 294->298 299 58d6873-58d68dc 294->299 298->299 300 58d63a1-58d63be 298->300 306 58d68e3-58d696b 299->306 305 58d63c4-58d63c8 300->305 300->306 308 58d63ca-58d63d4 call 58d0428 305->308 309 58d63d7-58d63db 305->309 351 58d6976-58d69f6 306->351 308->309 311 58d63dd-58d63e7 call 58d0428 309->311 312 58d63ea-58d63f1 309->312 311->312 317 58d650c-58d6511 312->317 318 58d63f7-58d6427 312->318 321 58d6519-58d651e 317->321 322 58d6513-58d6517 317->322 329 58d6bf6-58d6c1c 318->329 331 58d642d-58d6500 call 58d5e70 * 2 318->331 325 58d6530-58d6560 call 58d5e7c * 3 321->325 322->321 324 58d6520-58d6524 322->324 328 58d652a-58d652d 324->328 324->329 325->351 352 58d6566-58d6569 325->352 328->325 339 58d6c2c 329->339 340 58d6c1e-58d6c2a 329->340 331->317 360 58d6502 331->360 343 58d6c2f-58d6c34 339->343 340->343 367 58d69fd-58d6a7f 351->367 352->351 355 58d656f-58d6571 352->355 355->351 356 58d6577-58d65ac 355->356 356->367 368 58d65b2-58d65bb 356->368 360->317 374 58d6a87-58d6b09 367->374 370 58d671e-58d6722 368->370 371 58d65c1-58d661b call 58d5e7c * 2 call 58d5e8c * 2 368->371 373 58d6728-58d672c 370->373 370->374 413 58d662d 371->413 414 58d661d-58d6626 371->414 377 58d6b11-58d6b3e 373->377 378 58d6732-58d6738 373->378 374->377 391 58d6b45-58d6bc5 377->391 382 58d673c-58d6771 378->382 383 58d673a 378->383 387 58d6778-58d677e 382->387 383->387 387->391 392 58d6784-58d678c 387->392 446 58d6bcc-58d6bee 391->446 396 58d678e-58d6792 392->396 397 58d6793-58d6795 392->397 396->397 404 58d67f7-58d67fd 397->404 405 58d6797-58d67bb 397->405 408 58d681c-58d684a 404->408 409 58d67ff-58d681a 404->409 435 58d67bd-58d67c2 405->435 436 58d67c4-58d67c8 405->436 428 58d6852-58d685e 408->428 409->428 420 58d6631-58d6633 413->420 419 58d6628-58d662b 414->419 414->420 419->420 426 58d663a-58d663e 420->426 427 58d6635 420->427 432 58d664c-58d6652 426->432 433 58d6640-58d6647 426->433 427->426 428->446 447 58d6864-58d6870 428->447 443 58d665c-58d6661 432->443 444 58d6654-58d665a 432->444 442 58d66e9-58d66ed 433->442 437 58d67d4-58d67e5 435->437 436->329 439 58d67ce-58d67d1 436->439 485 58d67e7 call 58d6c7f 437->485 486 58d67e7 call 58d6c90 437->486 439->437 448 58d670c-58d6718 442->448 449 58d66ef-58d6709 442->449 450 58d6667-58d666d 443->450 444->450 446->329 448->370 448->371 449->448 453 58d666f-58d6671 450->453 454 58d6673-58d6678 450->454 460 58d667a-58d668c 453->460 454->460 456 58d67ed-58d67f5 456->428 465 58d668e-58d6694 460->465 466 58d6696-58d669b 460->466 468 58d66a1-58d66a8 465->468 466->468 472 58d66ae 468->472 473 58d66aa-58d66ac 468->473 476 58d66b3-58d66be 472->476 473->476 478 58d66c0-58d66c3 476->478 479 58d66e2 476->479 478->442 480 58d66c5-58d66cb 478->480 479->442 481 58d66cd-58d66d0 480->481 482 58d66d2-58d66db 480->482 481->479 481->482 482->442 484 58d66dd-58d66e0 482->484 484->442 484->479 485->456 486->456
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3701187565.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_58d0000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: Hq$Hq$Hq$Hq$Hq
      • API String ID: 0-3799487529
      • Opcode ID: 9001cdce07f393b9b728cbcd934174ba0922f37e6b10a50d1dd6f2846a8a4a66
      • Instruction ID: cdfeb527a1648e06c632db1073c58a583894b4193ecbc6d4f4cc259599c8c485
      • Opcode Fuzzy Hash: 9001cdce07f393b9b728cbcd934174ba0922f37e6b10a50d1dd6f2846a8a4a66
      • Instruction Fuzzy Hash: A6329070E003188FEB54DF69D8517AEBBF2AF84304F54856AD40AEB385EB349D45CBA1
      Function 08D488F0 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 608 8d488f0-8d48918 609 8d4891f-8d48a7f 608->609 610 8d4891a 608->610 620 8d48a97-8d48ab5 609->620 621 8d48a81-8d48a89 609->621 610->609 625 8d48b47-8d48b67 620->625 626 8d48abb-8d48b02 620->626 622 8d48a90-8d48a96 621->622 623 8d48a8b 621->623 622->620 623->622 629 8d48dac-8d48ddb 625->629 630 8d48b6d-8d48c4b 625->630 634 8d48b0d-8d48b30 626->634 648 8d48d5c-8d48d6c 630->648 635 8d48b46 634->635 636 8d48b32-8d48b39 634->636 635->625 638 8d48b40-8d48b43 636->638 639 8d48b3b 636->639 638->635 639->638 650 8d48c50-8d48c66 648->650 651 8d48d72-8d48d9c 648->651 654 8d48c90 650->654 655 8d48c68-8d48c74 650->655 660 8d48d9e-8d48da7 651->660 661 8d48da8 651->661 659 8d48c96-8d48cdc 654->659 657 8d48c76-8d48c7c 655->657 658 8d48c7e-8d48c84 655->658 662 8d48c8e 657->662 658->662 666 8d48cee-8d48cf0 659->666 667 8d48cde-8d48cec 659->667 660->661 661->629 662->659 668 8d48cf3-8d48cfe 666->668 667->668 669 8d48d00-8d48d5a 668->669 670 8d48d5b 668->670 669->670 670->648
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: fq$PHq
      • API String ID: 0-821858
      • Opcode ID: 0ae7b23ac46508812f22d1fbcbeab8d609a232e03664cd7ea93ea1732939c155
      • Instruction ID: 065f46aefb252f27849a08e8325a6a7a97bdbb41c4da17b248fe36138b0e2ca1
      • Opcode Fuzzy Hash: 0ae7b23ac46508812f22d1fbcbeab8d609a232e03664cd7ea93ea1732939c155
      • Instruction Fuzzy Hash: C1E1B174E01218CFDB64DFA9D884B9DBBB2BF49341F1091AAD409AB365DB709E85CF10
      Function 08D488E0 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 785 8d488e0-8d48918 786 8d4891f-8d48a7f 785->786 787 8d4891a 785->787 797 8d48a97-8d48ab5 786->797 798 8d48a81-8d48a89 786->798 787->786 802 8d48b47-8d48b67 797->802 803 8d48abb-8d48b02 797->803 799 8d48a90-8d48a96 798->799 800 8d48a8b 798->800 799->797 800->799 806 8d48dac-8d48ddb 802->806 807 8d48b6d-8d48c4b 802->807 811 8d48b0d-8d48b30 803->811 825 8d48d5c-8d48d6c 807->825 812 8d48b46 811->812 813 8d48b32-8d48b39 811->813 812->802 815 8d48b40-8d48b43 813->815 816 8d48b3b 813->816 815->812 816->815 827 8d48c50-8d48c66 825->827 828 8d48d72-8d48d9c 825->828 831 8d48c90 827->831 832 8d48c68-8d48c74 827->832 837 8d48d9e-8d48da7 828->837 838 8d48da8 828->838 836 8d48c96-8d48cdc 831->836 834 8d48c76-8d48c7c 832->834 835 8d48c7e-8d48c84 832->835 839 8d48c8e 834->839 835->839 843 8d48cee-8d48cf0 836->843 844 8d48cde-8d48cec 836->844 837->838 838->806 839->836 845 8d48cf3-8d48cfe 843->845 844->845 846 8d48d00-8d48d5a 845->846 847 8d48d5b 845->847 846->847 847->825
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: fq$PHq
      • API String ID: 0-821858
      • Opcode ID: 458d69377ec36643f0796193655af559a09977ffd2598318a65adfc248521b8d
      • Instruction ID: 13b4babf1a0cbfe19d39ba317c9e6949f203c79253901300ae6024716854687d
      • Opcode Fuzzy Hash: 458d69377ec36643f0796193655af559a09977ffd2598318a65adfc248521b8d
      • Instruction Fuzzy Hash: 9FC1CF74E01258CFDB54DFA9C984B9DBBF2BF89301F1081AAD409AB365DB709A85CF10
      Function 093A61F0 Relevance: .4, Instructions: 396COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: DispatchMessage
      • String ID:
      • API String ID: 2061451462-0
      • Opcode ID: e97c194fa722caeadc859f5ad4e9c3a9bac4698831fc2523535c93dbb722cf3a
      • Instruction ID: 49dab1a96fbe157af539264b633734c74c4d58f66bb29b8abf99b4719f76b7b8
      • Opcode Fuzzy Hash: e97c194fa722caeadc859f5ad4e9c3a9bac4698831fc2523535c93dbb722cf3a
      • Instruction Fuzzy Hash: A2F14A30A00209CFDB14DFA9C949B9DBBF1FF48318F198169E409AF2A5DB75A945CF90
      Function 08D49688 Relevance: .3, Instructions: 323COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6014b1ce422f6c5b27726d1ba9502a24d5178f69ff81d5476ff527b90d99f779
      • Instruction ID: 272ac237f49ed8438a2288b2f44e604b9f4c52837be51a30f80305df7c916d54
      • Opcode Fuzzy Hash: 6014b1ce422f6c5b27726d1ba9502a24d5178f69ff81d5476ff527b90d99f779
      • Instruction Fuzzy Hash: 9EF1A574D012288FDB64DF69D998BDDBBB2BF49301F1091EAD809A7264DB349E81CF50
      Function 058D6358 Relevance: .3, Instructions: 281COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701187565.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_58d0000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4c49949809210a1ae072d96607a8c0e6664511366347f4aa9374bbd90c95824d
      • Instruction ID: 7266e2a69292a225092fe4e135f046a915d9286d23354107da704a3787329591
      • Opcode Fuzzy Hash: 4c49949809210a1ae072d96607a8c0e6664511366347f4aa9374bbd90c95824d
      • Instruction Fuzzy Hash: 9FC14B31E002189FDB25DF69D884B9DFBF2BF88314F14C56AD849AB255EB309D84CB61
      Function 08D4967C Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c41acf4863f380ec90c1ff96bb9f4dcd7815477ed3f5dd75b0acfe7313e86d40
      • Instruction ID: af2c6a84f417a072141ceb5bca8453e603283d384edb8ed3379137a0a2c233e8
      • Opcode Fuzzy Hash: c41acf4863f380ec90c1ff96bb9f4dcd7815477ed3f5dd75b0acfe7313e86d40
      • Instruction Fuzzy Hash: 1071B775E412289FDB68DF6AD8447D9BBF2BF89300F1081EAD818A7265DB305E81CF50
      Function 012EC7D8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 877 12ec7d8-12ec7f7 878 12ec7f9-12ec806 call 12eb198 877->878 879 12ec823-12ec827 877->879 886 12ec81c 878->886 887 12ec808 878->887 880 12ec83b-12ec87c 879->880 881 12ec829-12ec833 879->881 888 12ec87e-12ec886 880->888 889 12ec889-12ec897 880->889 881->880 886->879 932 12ec80e call 12eca70 887->932 933 12ec80e call 12eca80 887->933 888->889 890 12ec8bb-12ec8bd 889->890 891 12ec899-12ec89e 889->891 894 12ec8c0-12ec8c7 890->894 895 12ec8a9 891->895 896 12ec8a0-12ec8a7 call 12ec1f0 891->896 892 12ec814-12ec816 892->886 893 12ec958-12eca18 892->893 927 12eca1a-12eca1d 893->927 928 12eca20-12eca4b GetModuleHandleW 893->928 898 12ec8c9-12ec8d1 894->898 899 12ec8d4-12ec8db 894->899 897 12ec8ab-12ec8b9 895->897 896->897 897->894 898->899 901 12ec8dd-12ec8e5 899->901 902 12ec8e8-12ec8f1 call 12ec200 899->902 901->902 908 12ec8fe-12ec903 902->908 909 12ec8f3-12ec8fb 902->909 910 12ec905-12ec90c 908->910 911 12ec921-12ec925 908->911 909->908 910->911 913 12ec90e-12ec91e call 12ec210 call 12ec220 910->913 934 12ec928 call 12ecd70 911->934 935 12ec928 call 12ecd80 911->935 913->911 914 12ec92b-12ec92e 917 12ec930-12ec94e 914->917 918 12ec951-12ec957 914->918 917->918 927->928 929 12eca4d-12eca53 928->929 930 12eca54-12eca68 928->930 929->930 932->892 933->892 934->914 935->914
      APIs
      • GetModuleHandleW.KERNEL32(00000000), ref: 012ECA3E
      Memory Dump Source
      • Source File: 00000000.00000002.3699432286.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_12e0000_SecuriteInfo.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: 416eb9fbd9ce3295573f5c0e094210ea750bf4101bfbaa769c86d7cb35262023
      • Instruction ID: 652aeac6868524e6103110e87453ab0f30d6b784fc916d358f467f4ca800a832
      • Opcode Fuzzy Hash: 416eb9fbd9ce3295573f5c0e094210ea750bf4101bfbaa769c86d7cb35262023
      • Instruction Fuzzy Hash: 16815670A10B068FE725CFA9D54976ABBF1BF88310F00892ED59ADBB40D734E815CB91
      Function 058D71B5 Relevance: 1.6, APIs: 1, Instructions: 97windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 936 58d71b5-58d71b6 937 58d71bd-58d71be 936->937 938 58d71b8 936->938 939 58d71bf-58d71c4 937->939 940 58d71c5-58d721a 937->940 938->937 939->940 942 58d721c-58d7237 940->942 943 58d7239-58d723d 940->943 942->943 944 58d723f-58d7251 943->944 945 58d7259-58d7294 Shell_NotifyIconW 943->945 944->945 946 58d729d-58d72ce 945->946 947 58d7296-58d729c 945->947 949 58d72d0-58d72d4 946->949 950 58d72e3-58d72e7 946->950 947->946 949->950 952 58d72d6-58d72d9 949->952 953 58d72e9-58d72f5 950->953 954 58d72f8 950->954 952->950 953->954 956 58d72f9 954->956 956->956
      APIs
      • Shell_NotifyIconW.SHELL32(?,00000000), ref: 058D7284
      Memory Dump Source
      • Source File: 00000000.00000002.3701187565.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_58d0000_SecuriteInfo.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID:
      • API String ID: 1144537725-0
      • Opcode ID: 2af801c709ac3cc79039fe7fabd06bf284c7aec2897c880f3c571403dd4465fd
      • Instruction ID: 0f161089edbae333230431405c87994fd5042c27465ea24b8fd0151c568de078
      • Opcode Fuzzy Hash: 2af801c709ac3cc79039fe7fabd06bf284c7aec2897c880f3c571403dd4465fd
      • Instruction Fuzzy Hash: 0C411FB0D002589FDB18DFA9C848B9EFBF6FB48300F50802AE81AE7280D7759805CF65
      Function 012E4648 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 957 12e4648-12e6b31 CreateActCtxA 960 12e6b3a-12e6b94 957->960 961 12e6b33-12e6b39 957->961 968 12e6b96-12e6b99 960->968 969 12e6ba3-12e6ba7 960->969 961->960 968->969 970 12e6bb8 969->970 971 12e6ba9-12e6bb5 969->971 973 12e6bb9 970->973 971->970 973->973
      APIs
      • CreateActCtxA.KERNEL32(?), ref: 012E6B21
      Memory Dump Source
      • Source File: 00000000.00000002.3699432286.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_12e0000_SecuriteInfo.jbxd
      Similarity
      • API ID: Create
      • String ID:
      • API String ID: 2289755597-0
      • Opcode ID: 23eaeb2ad2b7326b278dbfe9ceb99d7e17b73e3060493921bb694da53c3d7b0a
      • Instruction ID: 32e36653351a7e88279b6d933d2e736474afd927856537d96027a037c7729326
      • Opcode Fuzzy Hash: 23eaeb2ad2b7326b278dbfe9ceb99d7e17b73e3060493921bb694da53c3d7b0a
      • Instruction Fuzzy Hash: 1941B2B0C10719CBDF24DFA9C848B9DBBF5BF58304F60806AD509AB251D7B56946CF90
      Function 012E6A65 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 974 12e6a65-12e6b31 CreateActCtxA 976 12e6b3a-12e6b94 974->976 977 12e6b33-12e6b39 974->977 984 12e6b96-12e6b99 976->984 985 12e6ba3-12e6ba7 976->985 977->976 984->985 986 12e6bb8 985->986 987 12e6ba9-12e6bb5 985->987 989 12e6bb9 986->989 987->986 989->989
      APIs
      • CreateActCtxA.KERNEL32(?), ref: 012E6B21
      Memory Dump Source
      • Source File: 00000000.00000002.3699432286.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_12e0000_SecuriteInfo.jbxd
      Similarity
      • API ID: Create
      • String ID:
      • API String ID: 2289755597-0
      • Opcode ID: 7e3b41fa21f14e4e6cbbbf071ba0cced8acf6ed48f602053dbbdb5f009fdf1b8
      • Instruction ID: 162f8b9cbd7519c67198bd00dcb8561d14a943664f94666e22b3a50c31f4f357
      • Opcode Fuzzy Hash: 7e3b41fa21f14e4e6cbbbf071ba0cced8acf6ed48f602053dbbdb5f009fdf1b8
      • Instruction Fuzzy Hash: 1941BDB1C10719CBEB24DFA9C888B9DBBF5BF58304F60846AD408AB251DBB56946CF50
      Function 058D71C0 Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 990 58d71c0-58d721a 992 58d721c-58d7237 990->992 993 58d7239-58d723d 990->993 992->993 994 58d723f-58d7251 993->994 995 58d7259-58d7294 Shell_NotifyIconW 993->995 994->995 996 58d729d-58d72ce 995->996 997 58d7296-58d729c 995->997 999 58d72d0-58d72d4 996->999 1000 58d72e3-58d72e7 996->1000 997->996 999->1000 1002 58d72d6-58d72d9 999->1002 1003 58d72e9-58d72f5 1000->1003 1004 58d72f8 1000->1004 1002->1000 1003->1004 1006 58d72f9 1004->1006 1006->1006
      APIs
      • Shell_NotifyIconW.SHELL32(?,00000000), ref: 058D7284
      Memory Dump Source
      • Source File: 00000000.00000002.3701187565.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_58d0000_SecuriteInfo.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID:
      • API String ID: 1144537725-0
      • Opcode ID: e0d5794eef68075325a7b0e22df70b5860cec3771e492d324497e6e85f3bdcad
      • Instruction ID: 34b11c162f7a7a3b00b18a4e10970fbe212e649d93497d2e3a95c1f8dbda2d0c
      • Opcode Fuzzy Hash: e0d5794eef68075325a7b0e22df70b5860cec3771e492d324497e6e85f3bdcad
      • Instruction Fuzzy Hash: 7041F0B0D142589FDB18CFA9C448B9EFBF5BB48300F54802AE81AF7280C7759845CF65
      Function 093A0208 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1007 93a0208-93a0283 1009 93a028b-93a0294 1007->1009 1010 93a0285-93a0288 1007->1010 1011 93a0299-93a02c9 GetClassInfoW 1009->1011 1012 93a0296 1009->1012 1010->1009 1013 93a02cb-93a02d1 1011->1013 1014 93a02d2-93a02f3 1011->1014 1012->1011 1013->1014
      APIs
      • GetClassInfoW.USER32(?,00000000), ref: 093A02BC
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: ClassInfo
      • String ID:
      • API String ID: 3534257612-0
      • Opcode ID: 828f098ac31f8e2466f7058626ac2f61d6db4c018b411dd0a77295a061bdc673
      • Instruction ID: 4350c3e1bce119d1e2c1bac3fe10cd0f09abb273bcaa585ffa4588bcabd34e16
      • Opcode Fuzzy Hash: 828f098ac31f8e2466f7058626ac2f61d6db4c018b411dd0a77295a061bdc673
      • Instruction Fuzzy Hash: DB319FB19093999FDB16CFA9C8446CEFFF4EF5A210F1480AED444E7252D334A809CB61
      Function 093A5B51 Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(?,?,?,?), ref: 093A5BDD
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessagePost
      • String ID:
      • API String ID: 410705778-0
      • Opcode ID: b2287a0288aef1b3c1857e2c82e501ad36c96eb23fd3d0544d3b6cd46c141e00
      • Instruction ID: aa1073887627b29af265a126e495facf1c5e714507c4bb7c02843fb6968be856
      • Opcode Fuzzy Hash: b2287a0288aef1b3c1857e2c82e501ad36c96eb23fd3d0544d3b6cd46c141e00
      • Instruction Fuzzy Hash: 032188B1804349CFDB11CF9AC845BDEBFF8EB09310F14845AE494A7262D378A948CFA1
      Function 012EE380 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012EEC86,?,?,?,?,?), ref: 012EED47
      Memory Dump Source
      • Source File: 00000000.00000002.3699432286.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_12e0000_SecuriteInfo.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID:
      • API String ID: 3793708945-0
      • Opcode ID: f0eb6ed00b3b35d2aa0ff473d40a5f6f9579261fb0a40b60330e777f7b609e25
      • Instruction ID: d86713c799547ceeee2de5b0f463609b8d8a641c2edd9b3bd9c7b3917f92bb32
      • Opcode Fuzzy Hash: f0eb6ed00b3b35d2aa0ff473d40a5f6f9579261fb0a40b60330e777f7b609e25
      • Instruction Fuzzy Hash: 202103B5D10208DFDB10CFAAD884AEEBBF8FB48310F14801AE914A7350C375A944CFA4
      Function 093A0240 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • GetClassInfoW.USER32(?,00000000), ref: 093A02BC
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: ClassInfo
      • String ID:
      • API String ID: 3534257612-0
      • Opcode ID: b126fa8683f06292a41d590033b30fff8ba6bcdf2c45d3f43c823f844ec701d9
      • Instruction ID: b481d3b49025753b75f4514de6a57797d6cbf28585986380f4a60935042d60a2
      • Opcode Fuzzy Hash: b126fa8683f06292a41d590033b30fff8ba6bcdf2c45d3f43c823f844ec701d9
      • Instruction Fuzzy Hash: 902104B5D017098FDB14CF9AC884ADEFBF8FB48210F14802AE859A7640D374A944CFA5
      Function 08D4DA50 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • SetWindowTextW.USER32(?,00000000), ref: 08D4DAC2
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: TextWindow
      • String ID:
      • API String ID: 530164218-0
      • Opcode ID: f97eed2661d494eb31470f498bd1599a982aff8c88606aac870cc563c191e456
      • Instruction ID: b0bcf94349393e198a6bc3a59d7c8e87951431cb2bdb466828828f38e69da09b
      • Opcode Fuzzy Hash: f97eed2661d494eb31470f498bd1599a982aff8c88606aac870cc563c191e456
      • Instruction Fuzzy Hash: 022133B2C002498FCB10CFAAC845ADEBBF5AB88320F10812ED459A7640C379A549CFA1
      Function 093A6FD8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
      Download Yara Rule
      APIs
      • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,093A6517), ref: 093A703D
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: DispatchMessage
      • String ID:
      • API String ID: 2061451462-0
      • Opcode ID: 789373be9c9a037340d71aae4e57e540d8d13cb04e8b54fa302be1eb2fc3311e
      • Instruction ID: 25ecc57f92b95ec7e5c07faa0b0a61aa75fefa8e7756a9917e39a8252ef1d09d
      • Opcode Fuzzy Hash: 789373be9c9a037340d71aae4e57e540d8d13cb04e8b54fa302be1eb2fc3311e
      • Instruction Fuzzy Hash: 032147B5C007488FCB20CF9AD444BDEFBF4EB48324F14816AD559A3640C339A545CFA5
      Function 093A67B0 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
      Download Yara Rule
      APIs
      • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,093A63D2,00000000,00000000,03D960D8,02E251E8), ref: 093A6820
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessagePeek
      • String ID:
      • API String ID: 2222842502-0
      • Opcode ID: b319eeae79dfd748432092365a1c2cbea5b918f09b2a32c10fcba04f7e25b526
      • Instruction ID: ae4397013f2a329fcc5f2f0b24100e0f0fe98f316760280fe253332293445d2d
      • Opcode Fuzzy Hash: b319eeae79dfd748432092365a1c2cbea5b918f09b2a32c10fcba04f7e25b526
      • Instruction Fuzzy Hash: 5C1117B5C002499FDB10CF9AD844BDEBBF8EB48324F14842AE559A3250C379A944CFA5
      Function 093A4420 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
      Download Yara Rule
      APIs
      • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,093A63D2,00000000,00000000,03D960D8,02E251E8), ref: 093A6820
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessagePeek
      • String ID:
      • API String ID: 2222842502-0
      • Opcode ID: eb9476f1bd8edc4c76a212f9a63b6ff77f8dd08d4ac24f274fb8fb86cb8e9a18
      • Instruction ID: 1ad807a67866be8e53cf08cf0fd3d60787f680dfe2881e301f67d0018e76f2d0
      • Opcode Fuzzy Hash: eb9476f1bd8edc4c76a212f9a63b6ff77f8dd08d4ac24f274fb8fb86cb8e9a18
      • Instruction Fuzzy Hash: D81129B5C002099FDB10DF9AD445BDEBBF8FB48324F14802AE959A3240C379A944CFA5
      Function 08D4DA58 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • SetWindowTextW.USER32(?,00000000), ref: 08D4DAC2
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: TextWindow
      • String ID:
      • API String ID: 530164218-0
      • Opcode ID: 486cf7103b455dda08463444112afc6b32de7b3ea795f461d4ff276b7fa4877b
      • Instruction ID: 53d8474d8b83e631aa9c43a09351b1002ebc9f67f7fbb72954b00fe61e72beac
      • Opcode Fuzzy Hash: 486cf7103b455dda08463444112afc6b32de7b3ea795f461d4ff276b7fa4877b
      • Instruction Fuzzy Hash: 351112B6C002498FDB14CF9AC845BDEFBF9EB88320F14842AD859A7640D379A545CFA5
      Function 093A5B80 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(?,?,?,?), ref: 093A5BDD
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessagePost
      • String ID:
      • API String ID: 410705778-0
      • Opcode ID: 11b3480f04786b1c399be1863a765ef815d3547aab012e8dac0cb5eda1433ed7
      • Instruction ID: 11794432800b401be8cd3952876794462789522fd5420bbd5de2a6f6b0b53d04
      • Opcode Fuzzy Hash: 11b3480f04786b1c399be1863a765ef815d3547aab012e8dac0cb5eda1433ed7
      • Instruction Fuzzy Hash: F61106B58003499FDB10CF9AC845BDEFBF8FB48320F10841AE554A3640D379A944CFA5
      Function 012EC9D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(00000000), ref: 012ECA3E
      Memory Dump Source
      • Source File: 00000000.00000002.3699432286.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_12e0000_SecuriteInfo.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: ed15ad0f4d098c550834ac049988c25526d739d17b0a733f17b0f6d259c08306
      • Instruction ID: a5eb0341ece8c0008183d317a8a50258d3155dd7e65cd4164d8579c0370011a8
      • Opcode Fuzzy Hash: ed15ad0f4d098c550834ac049988c25526d739d17b0a733f17b0f6d259c08306
      • Instruction Fuzzy Hash: 9A11E0B6C003498FDB24CF9AD448BDEFBF8AF88214F10841AD969A7710C379A545CFA5
      Function 093A5FD0 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
      Download Yara Rule
      APIs
      • OleInitialize.OLE32(00000000), ref: 093A602D
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: Initialize
      • String ID:
      • API String ID: 2538663250-0
      • Opcode ID: 11342fce16e7d4c39762b7746d58764eb384ae1e3ceda50f517c443bef39a3a6
      • Instruction ID: 71e8d84a76bff1c06602972a72d921fc06f0111bb429fc0e1c6c5e4c6840f70d
      • Opcode Fuzzy Hash: 11342fce16e7d4c39762b7746d58764eb384ae1e3ceda50f517c443bef39a3a6
      • Instruction Fuzzy Hash: FF1103B5C00348CFDB24DFAAD445BCEBBF8EB58214F248419D519A7710D379A984CFA9
      Function 08D4B050 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
      Download Yara Rule
      APIs
      • SetTimer.USER32(?,05256428,?,?,?,?,?,?,08D4BAB0,00000000,00000000,?), ref: 08D4BC2D
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: Timer
      • String ID:
      • API String ID: 2870079774-0
      • Opcode ID: 293f6245a429e16b9a74e1e0470ad1d75009b4d94b1cfd83b2435320855f0b2d
      • Instruction ID: 4ef8cbf0af01ed562ab8e89143cf28f8f468e5e50c9aa72fae15b8fbc2b94541
      • Opcode Fuzzy Hash: 293f6245a429e16b9a74e1e0470ad1d75009b4d94b1cfd83b2435320855f0b2d
      • Instruction Fuzzy Hash: 271106B5800348DFDB10DF9AD485BDEBBF8EB58320F10881AE555A7740C375A944CFA5
      Function 093A446C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
      Download Yara Rule
      APIs
      • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,093A6517), ref: 093A703D
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: DispatchMessage
      • String ID:
      • API String ID: 2061451462-0
      • Opcode ID: 6cb6a0a4a5daaab5d8a555f5e3b4e47fa7b8a031a33e084d236547c0bd80fbe1
      • Instruction ID: de7d5ac11932cbec15bc8fd6203b269e56f95c1aa55a3f02f57c8a7854257ee7
      • Opcode Fuzzy Hash: 6cb6a0a4a5daaab5d8a555f5e3b4e47fa7b8a031a33e084d236547c0bd80fbe1
      • Instruction Fuzzy Hash: 5C11F2B5C046488FCB20DF9AD444BDEFBF8EB48314F10841AE519A7650D379A544CFA9
      Function 093A20B4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 093A2115
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 05368129a3a46004dbedde45f61cb15ddfea88f017eaa4783524c26ce3e71701
      • Instruction ID: f71e907405d68ad7cd65389676047ad48890048ba7b0e3ad1f90f962c129ed3a
      • Opcode Fuzzy Hash: 05368129a3a46004dbedde45f61cb15ddfea88f017eaa4783524c26ce3e71701
      • Instruction Fuzzy Hash: F91103B58003499FDB10DF9AC885BDEBBF8EB58310F10841AE558A7600C375A944CFA5
      Function 093A43C0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
      Download Yara Rule
      APIs
      • OleInitialize.OLE32(00000000), ref: 093A602D
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: Initialize
      • String ID:
      • API String ID: 2538663250-0
      • Opcode ID: a5952a9bc27ff01b99cf3a916f0142360d1e00e9f5d1c63c43cf2f0a1d3a6f40
      • Instruction ID: e83f4da9fe97eb2a5e23a6cfd97b22128d10c3d3a59f345da53afe489f52e921
      • Opcode Fuzzy Hash: a5952a9bc27ff01b99cf3a916f0142360d1e00e9f5d1c63c43cf2f0a1d3a6f40
      • Instruction Fuzzy Hash: 551103B5C04348CFDB20DFAAD449B9EBBF8EB48214F248419E519A7640D379A944CFA9
      Function 08D4BBC8 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
      Download Yara Rule
      APIs
      • SetTimer.USER32(?,05256428,?,?,?,?,?,?,08D4BAB0,00000000,00000000,?), ref: 08D4BC2D
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: Timer
      • String ID:
      • API String ID: 2870079774-0
      • Opcode ID: 8de4e4230d369fb207225ff2f14a807cd05e0de2a14da24973bec2a3909cbd0c
      • Instruction ID: d98320635f645b4d047ac5b865dd94b795070560bc4e27efbe4a5893e7660bb8
      • Opcode Fuzzy Hash: 8de4e4230d369fb207225ff2f14a807cd05e0de2a14da24973bec2a3909cbd0c
      • Instruction Fuzzy Hash: 111106B58003499FDB10DF99D885BDEBBF8FB48320F10841AE555A7300C375A544CFA1
      Function 08D4ECBD Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 08D4ED1D
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 60ec296ef002e5c7c360ca230ad02f3573fdd784c3704ed9cb329d520b4f835f
      • Instruction ID: 21d62610b32a2ea62dd40da594987dfe039a809a4e389a8c8fe9947f8812aa2a
      • Opcode Fuzzy Hash: 60ec296ef002e5c7c360ca230ad02f3573fdd784c3704ed9cb329d520b4f835f
      • Instruction Fuzzy Hash: 431103B58003489FDB20CF9AD485BDEFBF8FB48320F20841AE559A7600C375A544CFA1
      Function 093A20B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 093A2115
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 33675a099fa2a9986eb34168448aeda696d5193dd60990189f9f2d6c56241705
      • Instruction ID: d097496c5e1faaf16855fd5fa02f5c17a18f947171fc9d5b6a19379c5fa4f7f0
      • Opcode Fuzzy Hash: 33675a099fa2a9986eb34168448aeda696d5193dd60990189f9f2d6c56241705
      • Instruction Fuzzy Hash: AA11D3B58003499FDB10DF9AC885BDEBBF8EB58314F10841AE559A7640C375A944CFA5
      Function 08D4ECC0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 08D4ED1D
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 7bd21546317250f90f57e3bdd525db811e764b099a7caf49d8f497ad2af1ba3b
      • Instruction ID: 2f7445e5c45253fc0ccaf9e009e9a2cf000c5848fd38de49fce0b8d8e002872d
      • Opcode Fuzzy Hash: 7bd21546317250f90f57e3bdd525db811e764b099a7caf49d8f497ad2af1ba3b
      • Instruction Fuzzy Hash: 5011D0B58003499FDB20DF9AD985BDEFBF8FB48320F20841AE559A7640C375A944CFA5
      Function 093A2144 Relevance: 1.5, APIs: 1, Instructions: 34windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 093A2115
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 929afa763e89bfc04302b6ed959193fc5eecc1fce5dc3e64eb9b49d14fe00657
      • Instruction ID: 18b27b568f0458f13518dc92d44f8d6cae31210d031cc50c733199c602044ede
      • Opcode Fuzzy Hash: 929afa763e89bfc04302b6ed959193fc5eecc1fce5dc3e64eb9b49d14fe00657
      • Instruction Fuzzy Hash: 4EF02BB7C09380CFDB229BA5A8143DBBFE0DB62355F15448FD1948B552D23C9049CB61
      Function 08D43239 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 08D4326A
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallbackDispatcherUser
      • String ID:
      • API String ID: 2492992576-0
      • Opcode ID: 81fe7ee6d880fb8057f055cc4f1b4f05016c129b266ff0a7cbf71ad181840db0
      • Instruction ID: 810fa868f7b37ee97a94531abcf2ddcf20332ca8f4292a75804eed19525b4c7e
      • Opcode Fuzzy Hash: 81fe7ee6d880fb8057f055cc4f1b4f05016c129b266ff0a7cbf71ad181840db0
      • Instruction Fuzzy Hash: 7BE092757043502BCB29ABBC846886E7FB55E4656130945EFD84ACF3A2CE24CC02C361
      Function 08D43248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
      Download Yara Rule
      APIs
      • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 08D4326A
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallbackDispatcherUser
      • String ID:
      • API String ID: 2492992576-0
      • Opcode ID: 374c9a5bc9f4389372afb4e32934c789a13ab40ad00b934a1038778a5f484f9c
      • Instruction ID: 9f98e4864b61bfb5b6628738e948d22de2ea009e0b208b0ed487fe91d1c35de2
      • Opcode Fuzzy Hash: 374c9a5bc9f4389372afb4e32934c789a13ab40ad00b934a1038778a5f484f9c
      • Instruction Fuzzy Hash: 84E0C2317003207B8A18AA7ED418C6FB3EDAF86961340456EE906CB360DE20DC0287A0
      Function 00F7D514 Relevance: .1, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3698468753.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_f7d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c757926ce8351e7ae64f261ab1659563bc9a0ab52485609ddeb1404c713ca91d
      • Instruction ID: e42d5e37dca379708d986c66e63202f7288a72fd2dcf482eda89489525566ec9
      • Opcode Fuzzy Hash: c757926ce8351e7ae64f261ab1659563bc9a0ab52485609ddeb1404c713ca91d
      • Instruction Fuzzy Hash: CE21F472904240DFDB15DF14D9C0B26BB75FF84328F68C56AE8090B256C336D856EAA2
      Function 0125D1D4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3699245130.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_125d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e1b9c03ee4a59da1ffab25c733088aaa363a6d2769318e8cafa33ace211d2e89
      • Instruction ID: ba6d78927ba0d8e2760211d7e5fcd9677b58567d2e248d5fb27b2b5f62fcf360
      • Opcode Fuzzy Hash: e1b9c03ee4a59da1ffab25c733088aaa363a6d2769318e8cafa33ace211d2e89
      • Instruction Fuzzy Hash: 4721F271914308EFDB55DFA4D9C0B26BBA5FB84324F20C56DED098B293C376D846CA62
      Function 0125D01C Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3699245130.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_125d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5ceff887aee1ead7fce31a5b24eae4b1f2e0ebddbcfbb158dcdf064b11562655
      • Instruction ID: 7829004ce53b59daccafae094d44b70f61e9ce4443a3b98c2c85a6e6b6563407
      • Opcode Fuzzy Hash: 5ceff887aee1ead7fce31a5b24eae4b1f2e0ebddbcfbb158dcdf064b11562655
      • Instruction Fuzzy Hash: C6210071614208EFDB55DF64D9C0B16BBA1EB84314F20C56DED0A4B292C37AD447CA62
      Function 0125D006 Relevance: .1, Instructions: 60COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3699245130.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_125d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9806313fb02b3ea48082ff6fd5e9055f2e4ddaeb523a35e55cac0792eac6c31c
      • Instruction ID: 066f89705b887f471ac6c1aefe5c96fa14b04d1383d65e1df0af9a5f849264c8
      • Opcode Fuzzy Hash: 9806313fb02b3ea48082ff6fd5e9055f2e4ddaeb523a35e55cac0792eac6c31c
      • Instruction Fuzzy Hash: 9521CA755083848FCB12CF24D9D0B05BF71EB46314F28C5EAD9498B6A3C33A980ACB62
      Function 00F7D50F Relevance: .1, Instructions: 56COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3698468753.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_f7d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
      • Instruction ID: 121dedd60f3df98c3cba1d34dba6543078aa9baa3cb77859b41bfdd52df3c553
      • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
      • Instruction Fuzzy Hash: 6E11B176904280CFCB16CF14D5C4B16BF72FF94328F28C6AAD8494B656C336D856DBA2
      Function 0125D1CF Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3699245130.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_125d000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
      • Instruction ID: 0d1153f4210f15d504672a42e4e7cc56d120aa03863376be75e4b9534e27363b
      • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
      • Instruction Fuzzy Hash: 8511EB75504284CFDB12CF54C5C0B15BBA1FB84324F24C6ADDD098B693C33AD40ACB61

      Non-executed Functions

      Function 093A22A4 Relevance: .4, Instructions: 444COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701614960.00000000093A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_93a0000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 47dbbb88abeafd8182d796e8c44b403aea0e0486dc4da6051bd0db81f393848f
      • Instruction ID: 91b384e185b25af79cfc557f25ee13b52e58e2e56f881f736e7a3ff55b4820c8
      • Opcode Fuzzy Hash: 47dbbb88abeafd8182d796e8c44b403aea0e0486dc4da6051bd0db81f393848f
      • Instruction Fuzzy Hash: F8E137357102118BDB29AF348598B2F73A7EF85B50F14816AE9168B3A5DF34DC42CF52
      Function 08D49F11 Relevance: .2, Instructions: 211COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3701399924.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_8d40000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9b1514e7d0fcf63a6045af39527ba50df445eec4f085bdb24b67f0636e34e635
      • Instruction ID: 5c72ebaf9493d7898b3783d352452c0c575db023328000e68f01b51da0792b62
      • Opcode Fuzzy Hash: 9b1514e7d0fcf63a6045af39527ba50df445eec4f085bdb24b67f0636e34e635
      • Instruction Fuzzy Hash: 91A1D23494122ACFDB25CF24C988BE9BBB2BF49345F0091E9D809A7261DB349EC5DF40