Edit tour

Windows Analysis Report
ungziped_file.exe

Overview

General Information

Sample name:	ungziped_file.exe
Analysis ID:	1585870
MD5:	294aa30e1d8387a1f810490c59907228
SHA1:	5d6b402745679b55132ee21e7f09909b57ddf694
SHA256:	bd359e9c378164ced9b83d3b0e76f94bda81911fd848b44aed89275ff7b1c314
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ungziped_file.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 294AA30E1D8387A1F810490C59907228)

proximobuccal.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 294AA30E1D8387A1F810490C59907228)

RegSvcs.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\ungziped_file.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 2180 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

proximobuccal.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\asset\proximobuccal.exe" MD5: 294AA30E1D8387A1F810490C59907228)

RegSvcs.exe (PID: 5688 cmdline: "C:\Users\user\AppData\Local\asset\proximobuccal.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg/sendMessage?chat_id=1217600190", "Token": "1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg", "Chat_id": "1217600190", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b2a:$a1: get_encryptedPassword 0x14e16:$a2: get_encryptedUsername 0x14936:$a3: get_timePasswordChanged 0x14a31:$a4: get_passwordField 0x14b40:$a5: set_encryptedPassword 0x161bc:$a7: get_logins 0x1611f:$a10: KeyLoggerEventArgs 0x15d8a:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15723:$s1: UnHook 0x1572a:$s2: SetHook 0x15732:$s3: CallNextHook 0x1573f:$s4: _hook
00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15d8a:$x5: KeyLoggerEventArgs 0x1611f:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
00000007.00000002.4311009669.00000000028CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4311077645.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b2a:$a1: get_encryptedPassword 0x14e16:$a2: get_encryptedUsername 0x14936:$a3: get_timePasswordChanged 0x14a31:$a4: get_passwordField 0x14b40:$a5: set_encryptedPassword 0x161bc:$a7: get_logins 0x1611f:$a10: KeyLoggerEventArgs 0x15d8a:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15723:$s1: UnHook 0x1572a:$s2: SetHook 0x15732:$s3: CallNextHook 0x1573f:$s4: _hook
00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15d8a:$x5: KeyLoggerEventArgs 0x1611f:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1492a:$a1: get_encryptedPassword 0x14c16:$a2: get_encryptedUsername 0x14736:$a3: get_timePasswordChanged 0x14831:$a4: get_passwordField 0x14940:$a5: set_encryptedPassword 0x15fbc:$a7: get_logins 0x15f1f:$a10: KeyLoggerEventArgs 0x15b8a:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19948:$x1: $%SMTPDV$ 0x1832c:$x2: $#TheHashHere%& 0x198f0:$x3: %FTPDV$ 0x182cc:$x4: $%TelegramDv$ 0x15b8a:$x5: KeyLoggerEventArgs 0x15f1f:$x5: KeyLoggerEventArgs 0x19914:$m2: Clipboard Logs ID 0x19b52:$m2: Screenshot Logs ID 0x19c62:$m2: keystroke Logs ID 0x19f3c:$m3: SnakePW 0x19b2a:$m4: \SnakeKeylogger\
Process Memory Space: proximobuccal.exe PID: 6656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proximobuccal.exe PID: 6656	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: proximobuccal.exe PID: 6656	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xee2df:$a1: get_encryptedPassword 0xee5c1:$a2: get_encryptedUsername 0xee0f5:$a3: get_timePasswordChanged 0xee1f0:$a4: get_passwordField 0xee2f5:$a5: set_encryptedPassword 0xf07d1:$a7: get_logins 0xf0734:$a10: KeyLoggerEventArgs 0xf039f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: proximobuccal.exe PID: 6656	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf039f:$x5: KeyLoggerEventArgs 0xf0734:$x5: KeyLoggerEventArgs 0xf103b:$x5: KeyLoggerEventArgs 0xf139c:$x5: KeyLoggerEventArgs 0xf295f:$m2: Clipboard Logs ID 0xf2a65:$m2: Screenshot Logs ID 0xf2abb:$m2: keystroke Logs ID 0xf2bf0:$m3: SnakePW 0xf2a51:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1216	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1216	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x48840:$a1: get_encryptedPassword 0x48b22:$a2: get_encryptedUsername 0x48656:$a3: get_timePasswordChanged 0x48751:$a4: get_passwordField 0x48856:$a5: set_encryptedPassword 0x4ad32:$a7: get_logins 0x4ac95:$a10: KeyLoggerEventArgs 0x4a900:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 1216	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4a900:$x5: KeyLoggerEventArgs 0x4ac95:$x5: KeyLoggerEventArgs 0x4b59c:$x5: KeyLoggerEventArgs 0x4b8fd:$x5: KeyLoggerEventArgs 0x4cec0:$m2: Clipboard Logs ID 0x4cfc6:$m2: Screenshot Logs ID 0x4d01c:$m2: keystroke Logs ID 0x4d151:$m3: SnakePW 0x4cfb2:$m4: \SnakeKeylogger\
Process Memory Space: proximobuccal.exe PID: 5544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proximobuccal.exe PID: 5544	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: proximobuccal.exe PID: 5544	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24f7ed:$a1: get_encryptedPassword 0x24facf:$a2: get_encryptedUsername 0x24f603:$a3: get_timePasswordChanged 0x24f6fe:$a4: get_passwordField 0x24f803:$a5: set_encryptedPassword 0x251cdf:$a7: get_logins 0x251c42:$a10: KeyLoggerEventArgs 0x2518ad:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: proximobuccal.exe PID: 5544	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2518ad:$x5: KeyLoggerEventArgs 0x251c42:$x5: KeyLoggerEventArgs 0x252549:$x5: KeyLoggerEventArgs 0x2528aa:$x5: KeyLoggerEventArgs 0x253e6d:$m2: Clipboard Logs ID 0x253f73:$m2: Screenshot Logs ID 0x253fc9:$m2: keystroke Logs ID 0x2540fe:$m3: SnakePW 0x253f5f:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 5688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5688	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.proximobuccal.exe.cc0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.proximobuccal.exe.cc0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.proximobuccal.exe.cc0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.proximobuccal.exe.cc0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b2a:$a1: get_encryptedPassword 0x14e16:$a2: get_encryptedUsername 0x14936:$a3: get_timePasswordChanged 0x14a31:$a4: get_passwordField 0x14b40:$a5: set_encryptedPassword 0x161bc:$a7: get_logins 0x1611f:$a10: KeyLoggerEventArgs 0x15d8a:$a11: KeyLoggerEventArgsEventHandler
1.2.proximobuccal.exe.cc0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
1.2.proximobuccal.exe.cc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15723:$s1: UnHook 0x1572a:$s2: SetHook 0x15732:$s3: CallNextHook 0x1573f:$s4: _hook
1.2.proximobuccal.exe.cc0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15d8a:$x5: KeyLoggerEventArgs 0x1611f:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
1.2.proximobuccal.exe.cc0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.proximobuccal.exe.cc0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.proximobuccal.exe.cc0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d2a:$a1: get_encryptedPassword 0x13016:$a2: get_encryptedUsername 0x12b36:$a3: get_timePasswordChanged 0x12c31:$a4: get_passwordField 0x12d40:$a5: set_encryptedPassword 0x143bc:$a7: get_logins 0x1431f:$a10: KeyLoggerEventArgs 0x13f8a:$a11: KeyLoggerEventArgsEventHandler
1.2.proximobuccal.exe.cc0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19940:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d73:$a4: \Orbitum\User Data\Default\Login Data 0x1adb2:$a5: \Kometa\User Data\Default\Login Data
1.2.proximobuccal.exe.cc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13923:$s1: UnHook 0x1392a:$s2: SetHook 0x13932:$s3: CallNextHook 0x1393f:$s4: _hook
1.2.proximobuccal.exe.cc0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d48:$x1: $%SMTPDV$ 0x1672c:$x2: $#TheHashHere%& 0x17cf0:$x3: %FTPDV$ 0x166cc:$x4: $%TelegramDv$ 0x13f8a:$x5: KeyLoggerEventArgs 0x1431f:$x5: KeyLoggerEventArgs 0x17d14:$m2: Clipboard Logs ID 0x17f52:$m2: Screenshot Logs ID 0x18062:$m2: keystroke Logs ID 0x1833c:$m3: SnakePW 0x17f2a:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b2a:$a1: get_encryptedPassword 0x14e16:$a2: get_encryptedUsername 0x14936:$a3: get_timePasswordChanged 0x14a31:$a4: get_passwordField 0x14b40:$a5: set_encryptedPassword 0x161bc:$a7: get_logins 0x1611f:$a10: KeyLoggerEventArgs 0x15d8a:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15723:$s1: UnHook 0x1572a:$s2: SetHook 0x15732:$s3: CallNextHook 0x1573f:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15d8a:$x5: KeyLoggerEventArgs 0x1611f:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
4.2.proximobuccal.exe.3a80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.proximobuccal.exe.3a80000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.proximobuccal.exe.3a80000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d2a:$a1: get_encryptedPassword 0x13016:$a2: get_encryptedUsername 0x12b36:$a3: get_timePasswordChanged 0x12c31:$a4: get_passwordField 0x12d40:$a5: set_encryptedPassword 0x143bc:$a7: get_logins 0x1431f:$a10: KeyLoggerEventArgs 0x13f8a:$a11: KeyLoggerEventArgsEventHandler
4.2.proximobuccal.exe.3a80000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19940:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d73:$a4: \Orbitum\User Data\Default\Login Data 0x1adb2:$a5: \Kometa\User Data\Default\Login Data
4.2.proximobuccal.exe.3a80000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13923:$s1: UnHook 0x1392a:$s2: SetHook 0x13932:$s3: CallNextHook 0x1393f:$s4: _hook
4.2.proximobuccal.exe.3a80000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d48:$x1: $%SMTPDV$ 0x1672c:$x2: $#TheHashHere%& 0x17cf0:$x3: %FTPDV$ 0x166cc:$x4: $%TelegramDv$ 0x13f8a:$x5: KeyLoggerEventArgs 0x1431f:$x5: KeyLoggerEventArgs 0x17d14:$m2: Clipboard Logs ID 0x17f52:$m2: Screenshot Logs ID 0x18062:$m2: keystroke Logs ID 0x1833c:$m3: SnakePW 0x17f2a:$m4: \SnakeKeylogger\
4.2.proximobuccal.exe.3a80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.proximobuccal.exe.3a80000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.proximobuccal.exe.3a80000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.proximobuccal.exe.3a80000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b2a:$a1: get_encryptedPassword 0x14e16:$a2: get_encryptedUsername 0x14936:$a3: get_timePasswordChanged 0x14a31:$a4: get_passwordField 0x14b40:$a5: set_encryptedPassword 0x161bc:$a7: get_logins 0x1611f:$a10: KeyLoggerEventArgs 0x15d8a:$a11: KeyLoggerEventArgsEventHandler
4.2.proximobuccal.exe.3a80000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
4.2.proximobuccal.exe.3a80000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15723:$s1: UnHook 0x1572a:$s2: SetHook 0x15732:$s3: CallNextHook 0x1573f:$s4: _hook
4.2.proximobuccal.exe.3a80000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b48:$x1: $%SMTPDV$ 0x1852c:$x2: $#TheHashHere%& 0x19af0:$x3: %FTPDV$ 0x184cc:$x4: $%TelegramDv$ 0x15d8a:$x5: KeyLoggerEventArgs 0x1611f:$x5: KeyLoggerEventArgs 0x19b14:$m2: Clipboard Logs ID 0x19d52:$m2: Screenshot Logs ID 0x19e62:$m2: keystroke Logs ID 0x1a13c:$m3: SnakePW 0x19d2a:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , ProcessId: 2180, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs" , ProcessId: 2180, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\asset\proximobuccal.exe, ProcessId: 6656, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:28.533830+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	188.114.96.3	443	TCP
2025-01-08T12:30:35.618700+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	188.114.96.3	443	TCP
2025-01-08T12:30:37.426321+0100	2803305	3	Unknown Traffic	192.168.2.4	49751	188.114.96.3	443	TCP
2025-01-08T12:30:39.566829+0100	2803305	3	Unknown Traffic	192.168.2.4	55704	188.114.96.3	443	TCP
2025-01-08T12:30:40.955256+0100	2803305	3	Unknown Traffic	192.168.2.4	55707	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:24.928345+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-08T12:30:27.959628+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-08T12:30:29.131519+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-08T12:30:30.209716+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-08T12:30:33.240837+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.130.0	80	TCP
2025-01-08T12:30:35.037713+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.130.0	80	TCP
2025-01-08T12:30:37.147091+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg/sendMessage?chat_id=1217600190", "Token": "1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg", "Chat_id": "1217600190", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: ungziped_file.exe	Virustotal: Detection: 30%			Perma Link
Source: ungziped_file.exe	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ungziped_file.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ungziped_file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: proximobuccal.exe, 00000001.00000003.1864459151.0000000003100000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000001.00000003.1865750696.0000000003600000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.2001722419.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.1996077894.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: proximobuccal.exe, 00000001.00000003.1864459151.0000000003100000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000001.00000003.1865750696.0000000003600000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.2001722419.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.1996077894.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0102698F
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_010268EE FindFirstFileW,FindClose,	0_2_010268EE
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D076
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D3A9
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0102979D
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01029642
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01029B2B
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0101DBBE
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01025C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01025C97
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B268EE FindFirstFileW,FindClose,	1_2_00B268EE
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_00B2698F
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B1D076
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B1D3A9
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B29642
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B2979D
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B1DBBE
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00B29B2B
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B25C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00B25C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02B5F1F6h	2_2_02B5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02B5FB80h	2_2_02B5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02B5E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02B5EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02B5ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06891A38h	2_2_06891620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068902F1h	2_2_06890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06891471h	2_2_068911C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689D1A1h	2_2_0689CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689F8B9h	2_2_0689F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06891A38h	2_2_06891610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689C8F1h	2_2_0689C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689DA51h	2_2_0689D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06890751h	2_2_068904A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689E759h	2_2_0689E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689B791h	2_2_0689B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689DEA9h	2_2_0689DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689C041h	2_2_0689BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06891011h	2_2_06890D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689F009h	2_2_0689ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689CD49h	2_2_0689CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689FD11h	2_2_0689FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689D5F9h	2_2_0689D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689E301h	2_2_0689E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689F461h	2_2_0689F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689C499h	2_2_0689C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689EBB1h	2_2_0689E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06890BB1h	2_2_06890900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0689BBE9h	2_2_0689B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06891A38h	2_2_06891966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C8945h	2_2_068C8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_068C36CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C6171h	2_2_068C5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C58C1h	2_2_068C5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C5D19h	2_2_068C5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_068C33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_068C33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C6E79h	2_2_068C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C65C9h	2_2_068C6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C6A21h	2_2_068C6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C0741h	2_2_068C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C7751h	2_2_068C74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C0B99h	2_2_068C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C02E9h	2_2_068C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C72FAh	2_2_068C7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C5441h	2_2_068C5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C8459h	2_2_068C81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C7BA9h	2_2_068C7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C0FF1h	2_2_068C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068C8001h	2_2_068C7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00C5F1F6h	7_2_00C5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00C5FB80h	7_2_00C5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_00C5E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05288945h	7_2_05288608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05287BA9h	7_2_05287900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05280FF1h	7_2_05280D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05288001h	7_2_05287D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05288459h	7_2_052881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05285441h	7_2_05285198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052802E9h	7_2_05280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052872FAh	7_2_05287050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05287751h	7_2_052874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05280741h	7_2_05280498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05280B99h	7_2_052808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052865C9h	7_2_05286320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05286A21h	7_2_05286778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_052833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_052833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05286E79h	7_2_05286BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052858C1h	7_2_05285618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05285D19h	7_2_05285A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05286171h	7_2_05285EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_052836CE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:55697 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55704 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:55707 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0102CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_0102CF1A

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002891000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: proximobuccal.exe, 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, proximobuccal.exe, 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.0
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: proximobuccal.exe, 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, proximobuccal.exe, 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55702
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 55702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55711
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55698
Source: unknown	Network traffic detected: HTTP traffic on port 55711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0102EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0102EAFF

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0102ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0102ED6A
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00B2ED6A

Source: C:\Users\user\Desktop\ungziped_file.exe

0_2_0102EAFF

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0101AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0101AB9C

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01049576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_01049576
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_00B49576

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: ungziped_file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ungziped_file.exe, 00000000.00000000.1846698435.0000000001072000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6eeb2a6a-a
Source: ungziped_file.exe, 00000000.00000000.1846698435.0000000001072000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c4eb73f5-7
Source: ungziped_file.exe, 00000000.00000003.1855115930.0000000003FC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f0422273-d
Source: ungziped_file.exe, 00000000.00000003.1855115930.0000000003FC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6a782a6c-5
Source: proximobuccal.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: proximobuccal.exe, 00000001.00000000.1855469053.0000000000B72000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd8431b8-7
Source: proximobuccal.exe, 00000001.00000000.1855469053.0000000000B72000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c7eaeed1-2
Source: proximobuccal.exe, 00000004.00000000.1985959640.0000000000B72000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34c70a95-3
Source: proximobuccal.exe, 00000004.00000000.1985959640.0000000000B72000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_59c71dd4-2
Source: ungziped_file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8b3b70a4-c
Source: ungziped_file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_86496b40-7
Source: proximobuccal.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_436ff7e4-7
Source: proximobuccal.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_343b4f2b-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0101D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0101D5EB

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_01011201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01011201

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0101E8F6
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_00B1E8F6

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FB8060	0_2_00FB8060
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01022046	0_2_01022046
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01018298	0_2_01018298
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FEE4FF	0_2_00FEE4FF
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FE676B	0_2_00FE676B
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01044873	0_2_01044873
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FBCAF0	0_2_00FBCAF0
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FDCAA0	0_2_00FDCAA0
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FCCC39	0_2_00FCCC39
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FE6DD9	0_2_00FE6DD9
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FB91C0	0_2_00FB91C0
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FCB119	0_2_00FCB119
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD1394	0_2_00FD1394
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD1706	0_2_00FD1706
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD781B	0_2_00FD781B
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD19B0	0_2_00FD19B0
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FC997D	0_2_00FC997D
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FB7920	0_2_00FB7920
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD7A4A	0_2_00FD7A4A
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD7CA7	0_2_00FD7CA7
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD1C77	0_2_00FD1C77
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FE9EEE	0_2_00FE9EEE
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0103BE44	0_2_0103BE44
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD1F32	0_2_00FD1F32
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01654050	0_2_01654050
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AB8060	1_2_00AB8060
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B22046	1_2_00B22046
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B18298	1_2_00B18298
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AEE4FF	1_2_00AEE4FF
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AE676B	1_2_00AE676B
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B44873	1_2_00B44873
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00ADCAA0	1_2_00ADCAA0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00ABCAF0	1_2_00ABCAF0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00ACCC39	1_2_00ACCC39
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AE6DD9	1_2_00AE6DD9
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AB91C0	1_2_00AB91C0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00ACB119	1_2_00ACB119
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD1394	1_2_00AD1394
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD1706	1_2_00AD1706
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD781B	1_2_00AD781B
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD19B0	1_2_00AD19B0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AB7920	1_2_00AB7920
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AC997D	1_2_00AC997D
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD7A4A	1_2_00AD7A4A
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD7CA7	1_2_00AD7CA7
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD1C77	1_2_00AD1C77
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AE9EEE	1_2_00AE9EEE
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B3BE44	1_2_00B3BE44
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD1F32	1_2_00AD1F32
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00DA2620	1_2_00DA2620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5B328	2_2_02B5B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5F007	2_2_02B5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5C190	2_2_02B5C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B56108	2_2_02B56108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5C753	2_2_02B5C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5C470	2_2_02B5C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B54AD9	2_2_02B54AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5CA33	2_2_02B5CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5BBD3	2_2_02B5BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B56880	2_2_02B56880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B59858	2_2_02B59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5BEB0	2_2_02B5BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5B4F3	2_2_02B5B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5E528	2_2_02B5E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5E517	2_2_02B5E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B53573	2_2_02B53573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06898460	2_2_06898460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06897B70	2_2_06897B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890040	2_2_06890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06893870	2_2_06893870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068911C0	2_2_068911C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689CEEA	2_2_0689CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689CEF8	2_2_0689CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689F600	2_2_0689F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689F610	2_2_0689F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689C638	2_2_0689C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689C648	2_2_0689C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689D798	2_2_0689D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689D7A8	2_2_0689D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890490	2_2_06890490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068904A0	2_2_068904A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E4A0	2_2_0689E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E4B0	2_2_0689E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689B4D7	2_2_0689B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689B4E8	2_2_0689B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689DC00	2_2_0689DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689BD88	2_2_0689BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689BD98	2_2_0689BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06897D90	2_2_06897D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890D51	2_2_06890D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689ED50	2_2_0689ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890D60	2_2_06890D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689ED60	2_2_0689ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689CAA0	2_2_0689CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689FA59	2_2_0689FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689FA68	2_2_0689FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068973E8	2_2_068973E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689DBF1	2_2_0689DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689D340	2_2_0689D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689D350	2_2_0689D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E8F8	2_2_0689E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068908F0	2_2_068908F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890007	2_2_06890007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E049	2_2_0689E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E058	2_2_0689E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06893860	2_2_06893860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689F1A9	2_2_0689F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689F1B8	2_2_0689F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068911B0	2_2_068911B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689C1E0	2_2_0689C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689C1F0	2_2_0689C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689E908	2_2_0689E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06890900	2_2_06890900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689B930	2_2_0689B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0689B940	2_2_0689B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CB6E8	2_2_068CB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C8608	2_2_068C8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CAA58	2_2_068CAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CD670	2_2_068CD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CC388	2_2_068CC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C8BF3	2_2_068C8BF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CB0A0	2_2_068CB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CA408	2_2_068CA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CD028	2_2_068CD028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C11A0	2_2_068C11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CC9D8	2_2_068CC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CBD38	2_2_068CBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5EB8	2_2_068C5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5EC8	2_2_068C5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CB6D9	2_2_068CB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C560A	2_2_068C560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C8602	2_2_068C8602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5618	2_2_068C5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CAA48	2_2_068CAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5A60	2_2_068C5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CD661	2_2_068CD661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5A70	2_2_068C5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C33A8	2_2_068C33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C33B8	2_2_068C33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C6BC1	2_2_068C6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C6BD0	2_2_068C6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CA3F8	2_2_068CA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C6312	2_2_068C6312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C6320	2_2_068C6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C3730	2_2_068C3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C676A	2_2_068C676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C6778	2_2_068C6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CC378	2_2_068CC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CB08F	2_2_068CB08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0488	2_2_068C0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0498	2_2_068C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7497	2_2_068C7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C74A8	2_2_068C74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C08E0	2_2_068C08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C08F0	2_2_068C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C78F0	2_2_068C78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0007	2_2_068C0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C2807	2_2_068C2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C2818	2_2_068C2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CD018	2_2_068CD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C4430	2_2_068C4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7049	2_2_068C7049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0040	2_2_068C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7050	2_2_068C7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C518A	2_2_068C518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C5198	2_2_068C5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C1191	2_2_068C1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C81A0	2_2_068C81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C81B0	2_2_068C81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CC9C8	2_2_068CC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7900	2_2_068C7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068CBD28	2_2_068CBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0D39	2_2_068C0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C0D48	2_2_068C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7D48	2_2_068C7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068C7D58	2_2_068C7D58
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 4_2_01051420	4_2_01051420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5F007	7_2_00C5F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C56108	7_2_00C56108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5B328	7_2_00C5B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5C470	7_2_00C5C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5C752	7_2_00C5C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C56730	7_2_00C56730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C59858	7_2_00C59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C54AD9	7_2_00C54AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5CA32	7_2_00C5CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5BBD2	7_2_00C5BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5BEB2	7_2_00C5BEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5B4F2	7_2_00C5B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C53572	7_2_00C53572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5E517	7_2_00C5E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00C5E528	7_2_00C5E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528BD38	7_2_0528BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528C9D8	7_2_0528C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528D028	7_2_0528D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528A408	7_2_0528A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528B0A0	7_2_0528B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05288B58	7_2_05288B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528C388	7_2_0528C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05288608	7_2_05288608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528D670	7_2_0528D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528AA58	7_2_0528AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528B6E8	7_2_0528B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528BD28	7_2_0528BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280D39	7_2_05280D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287900	7_2_05287900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280D48	7_2_05280D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287D48	7_2_05287D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287D58	7_2_05287D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052811A0	7_2_052811A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052881A0	7_2_052881A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052881B0	7_2_052881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528518B	7_2_0528518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285198	7_2_05285198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05281191	7_2_05281191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052885FC	7_2_052885FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528C9C8	7_2_0528C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05284430	7_2_05284430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05282809	7_2_05282809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280007	7_2_05280007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05282807	7_2_05282807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528D018	7_2_0528D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280040	7_2_05280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287040	7_2_05287040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287050	7_2_05287050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052874A8	7_2_052874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052828B0	7_2_052828B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280488	7_2_05280488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528B08F	7_2_0528B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05280498	7_2_05280498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05287497	7_2_05287497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052808E0	7_2_052808E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052808F0	7_2_052808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052878F0	7_2_052878F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286320	7_2_05286320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05283730	7_2_05283730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286313	7_2_05286313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286768	7_2_05286768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286778	7_2_05286778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528C378	7_2_0528C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052833A8	7_2_052833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_052833B8	7_2_052833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528A3F8	7_2_0528A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286BC1	7_2_05286BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05286BD0	7_2_05286BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528560B	7_2_0528560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285618	7_2_05285618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285A60	7_2_05285A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528D662	7_2_0528D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285A70	7_2_05285A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528AA48	7_2_0528AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285EB8	7_2_05285EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05285EC8	7_2_05285EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0528B6D9	7_2_0528B6D9

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: String function: 00AD0A30 appears 46 times
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: String function: 00ACF9F2 appears 31 times
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: String function: 00FCF9F2 appears 31 times
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: String function: 00FD0A30 appears 46 times

Source: ungziped_file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/3@2/2

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_010237B5 GetLastError,FormatMessageW,

0_2_010237B5

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_010110BF AdjustTokenPrivileges,CloseHandle,	0_2_010110BF
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_010116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_010116C3
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B110BF AdjustTokenPrivileges,CloseHandle,	1_2_00B110BF
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_00B116C3

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_010251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010251CD

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0103A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0103A67C

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0102648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0102648E

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FB42A2

Source: C:\Users\user\Desktop\ungziped_file.exe

File created: C:\Users\user\AppData\Local\asset

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ungziped_file.exe

File created: C:\Users\user\AppData\Local\Temp\horrify

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs"

Source: ungziped_file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4311077645.000000000305A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.000000000303C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.000000000304B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002959000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000294B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000293B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ungziped_file.exe	Virustotal: Detection: 30%
Source: ungziped_file.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\ungziped_file.exe

File read: C:\Users\user\Desktop\ungziped_file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ungziped_file.exe "C:\Users\user\Desktop\ungziped_file.exe"
Source: C:\Users\user\Desktop\ungziped_file.exe	Process created: C:\Users\user\AppData\Local\asset\proximobuccal.exe "C:\Users\user\Desktop\ungziped_file.exe"
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ungziped_file.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\asset\proximobuccal.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"
Source: C:\Users\user\Desktop\ungziped_file.exe	Process created: C:\Users\user\AppData\Local\asset\proximobuccal.exe "C:\Users\user\Desktop\ungziped_file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ungziped_file.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\asset\proximobuccal.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ungziped_file.exe

Static file information: File size 1205760 > 1048576

Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ungziped_file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ungziped_file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: proximobuccal.exe, 00000001.00000003.1864459151.0000000003100000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000001.00000003.1865750696.0000000003600000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.2001722419.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.1996077894.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: proximobuccal.exe, 00000001.00000003.1864459151.0000000003100000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000001.00000003.1865750696.0000000003600000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.2001722419.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, proximobuccal.exe, 00000004.00000003.1996077894.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp

Source: ungziped_file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ungziped_file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ungziped_file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ungziped_file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ungziped_file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD0A76 push ecx; ret	0_2_00FD0A89
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD0A76 push ecx; ret	1_2_00AD0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06892E78 push esp; iretd	2_2_06892E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06892840 push esp; retf	2_2_06892AC9

Source: C:\Users\user\Desktop\ungziped_file.exe

File created: C:\Users\user\AppData\Local\asset\proximobuccal.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00FCF98E
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01041C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_01041C41
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00ACF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00ACF98E
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00B41C41

Source: C:\Users\user\Desktop\ungziped_file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ungziped_file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\ungziped_file.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-95537

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	API/Special instruction interceptor: Address: DA2244
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	API/Special instruction interceptor: Address: 1051044

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597944	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597006	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596210	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596090	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594831	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599071	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6487	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2100	Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe	API coverage: 3.4 %
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	API coverage: 3.8 %

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0102698F
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_010268EE FindFirstFileW,FindClose,	0_2_010268EE
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D076
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0101D3A9
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0102979D
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01029642
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01029B2B
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0101DBBE
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01025C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01025C97
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B268EE FindFirstFileW,FindClose,	1_2_00B268EE
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_00B2698F
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B1D076
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B1D3A9
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B29642
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B2979D
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B1DBBE
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00B29B2B
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B25C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00B25C97

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597944	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597006	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596210	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596090	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594831	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599071	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598748	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4310111249.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: RegSvcs.exe, 00000007.00000002.4310137055.0000000000996000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_06897B70 LdrInitializeThunk,

2_2_06897B70

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0102EAA2 BlockInput,

0_2_0102EAA2

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE2622

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00FD4CE8
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_016528D0 mov eax, dword ptr fs:[00000030h]	0_2_016528D0
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01653F40 mov eax, dword ptr fs:[00000030h]	0_2_01653F40
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01653EE0 mov eax, dword ptr fs:[00000030h]	0_2_01653EE0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD4CE8 mov eax, dword ptr fs:[00000030h]	1_2_00AD4CE8
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00DA24B0 mov eax, dword ptr fs:[00000030h]	1_2_00DA24B0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00DA2510 mov eax, dword ptr fs:[00000030h]	1_2_00DA2510
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00DA0EA0 mov eax, dword ptr fs:[00000030h]	1_2_00DA0EA0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 4_2_01051310 mov eax, dword ptr fs:[00000030h]	4_2_01051310
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 4_2_0104FCA0 mov eax, dword ptr fs:[00000030h]	4_2_0104FCA0
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 4_2_010512B0 mov eax, dword ptr fs:[00000030h]	4_2_010512B0

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_01010B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01010B62

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE2622
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FD083F
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD09D5 SetUnhandledExceptionFilter,	0_2_00FD09D5
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_00FD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FD0C21
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00AE2622
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00AD083F
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD09D5 SetUnhandledExceptionFilter,	1_2_00AD09D5
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00AD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00AD0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DC3008			Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5D3008			Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe

0_2_01011201

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FF2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FF2BA5

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0101B226 SendInput,keybd_event,

0_2_0101B226

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0101E355 mouse_event,

0_2_0101E355

Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ungziped_file.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\asset\proximobuccal.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\asset\proximobuccal.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe

0_2_01010B62

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_01011663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01011663

Source: ungziped_file.exe, proximobuccal.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ungziped_file.exe, proximobuccal.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FD0698 cpuid

0_2_00FD0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_01028195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01028195

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_0100D27A GetUserNameW,

0_2_0100D27A

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FEBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FEBB6F

Source: C:\Users\user\Desktop\ungziped_file.exe

Code function: 0_2_00FB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB42DE

Source: C:\Users\user\Desktop\ungziped_file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4311009669.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4311077645.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5688, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: proximobuccal.exe	Binary or memory string: WIN_81
Source: proximobuccal.exe	Binary or memory string: WIN_XP
Source: proximobuccal.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: proximobuccal.exe	Binary or memory string: WIN_XPe
Source: proximobuccal.exe	Binary or memory string: WIN_VISTA
Source: proximobuccal.exe	Binary or memory string: WIN_7
Source: proximobuccal.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5688, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.proximobuccal.exe.cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.proximobuccal.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4311009669.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4311077645.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proximobuccal.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5688, type: MEMORYSTR

Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01031204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_01031204
Source: C:\Users\user\Desktop\ungziped_file.exe	Code function: 0_2_01031806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_01031806
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_00B31204
Source: C:\Users\user\AppData\Local\asset\proximobuccal.exe	Code function: 1_2_00B31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00B31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ungziped_file.exe	30%	Virustotal		Browse
ungziped_file.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
ungziped_file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\asset\proximobuccal.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\asset\proximobuccal.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://www.microsoft.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002891000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.	RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.0	RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	proximobuccal.exe, 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, proximobuccal.exe, 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4311077645.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.000000000285B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.0000000002868000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	proximobuccal.exe, 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4311077645.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, proximobuccal.exe, 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4311009669.00000000027C8000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585870
Start date and time:	2025-01-08 12:29:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ungziped_file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 5688 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:27	API Interceptor	11570403x Sleep call for process: RegSvcs.exe modified
11:30:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
193.122.130.0	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	104.21.32.1
	mail (4).eml	Get hash	malicious	Unknown	Browse	104.18.1.150
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	104.18.36.7
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
ORACLE-BMC-31898US	miori.x86.elf	Get hash	malicious	Unknown	Browse	140.204.251.205
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	193.123.7.176
	fuckunix.spc.elf	Get hash	malicious	Mirai	Browse	144.25.181.0
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	test.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\ungziped_file.exe
File Type:	data
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	6.699900113437708
Encrypted:	false
SSDEEP:	3072:DDoOCKfJ7UOSuQyCEzeTyz7NLpaHM8UTkMNgtXUfN:/oOnvPRNtpv8UTk7Xo
MD5:	07A7FA5482236D7DDE34672290811816
SHA1:	4C79D989702D4F230300A21F21AB515B2C52EA32
SHA-256:	C5A6CCE3DD19028CC5BB92FEFE45DF4763C2FBAA5483DCF9405773F429EFC21B
SHA-512:	07B7A0B23CD039ACA61B07452477BDAC3954A5E3C3CBD7A5EB59FC724F7ACEA5F1C2A92269DA212D666D83B6AE7D413734DEFFB9B7AF2ECB495368B60E59AF9D
Malicious:	false
Reputation:	low
Preview:	...R@BB3EEHB..CB.3AEHBFR.BB3AEHBFRCBB3AEHBFRCBB3AEHBFRCBB3AE.BFRM].=A.A.g.B....-!1f"1-%A (h!'<--6.# h03<c+,....b+=''l>LOlBFRCBB3..HB.S@B...#HBFRCBB3.EJCMS.BB.@EHVFRCBB3_QJBFrCBB.CEHB.RCbB3AGHBBRCBB3AELBFRCBB3A%JBFPCBB3AEJB..CBR3AUHBFRSBB#AEHBFRSBB3AEHBFRCB. CE.BFRCb@3.UHBFRCBB3AEHBFRCBB3A.JBJRCBB3AEHBFRCBB3AEHBFRCBB3AEHBFRCBB3AEHBFRCBB3AEHBFRCbB3IEHBFRCBB3AE@bFR.BB3AEHBFRCBlG$=<BFRg.C3AeHBF.BBB1AEHBFRCBB3AEHBfRC"lA27+BFR.RB3AeJBF@CBB.@EHBFRCBB3AEHB.RC.lA$)'!FROBB3A.JBFPCBB9CEHBFRCBB3AEHB.RC.B3AEHBFRCBB3AEHBFFABB3AE.BFRABG3.gIBv.CBA3AE.BFT.cC3.EHBFRCBB3AEHBFRCBB3AEHBFRCBB3AEHBFRCBB3AEHB./.M..,;.RCBB3ADJABTKJB3AEHBFR=BB3.EHB.RCBu3AEmBFR.BB3eEHB8RCB<3AE,BFR1BB3 EHB.RCB-3AE&BFR=BB3_G`bFRIhd3CmiBFXCh.@cEHH.SCBF@bEHH.PCBF@eEHH.QCBF@dEHH.VCBF@gEHH.WCBF..EK.PTCBY\xEHHFQ.WD3A^bdFPkxB3KEbdFQ.WD3A^b`FP.KB3Eo.1[RCDjpAEB6ORC@.9AELhXPk.B3Koj<VRCFi3kg6SFRGiB.c;ZBFVhBh.?VHBByCh`MUEHFmRi\@.UEHFlp=WB3EnHhd,UBB7jEb`8ECBF.AoV@.ECBF.Go*B4k_B20..HB@z.BB9i%HB@RixBMaEHFD=.BB9go.BDzGCB9AGK?pRCF@7<rHBBx.B@HxE

C:\Users\user\AppData\Local\asset\proximobuccal.exe

Download File

Process:	C:\Users\user\Desktop\ungziped_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1205760
Entropy (8bit):	7.084477508834869
Encrypted:	false
SSDEEP:	24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8a8zoYdLVBTA4dinbn:tTvC/MTQYxsWR7a8z5AGg
MD5:	294AA30E1D8387A1F810490C59907228
SHA1:	5D6B402745679B55132EE21E7F09909B57DDF694
SHA-256:	BD359E9C378164CED9B83D3B0E76F94BDA81911FD848B44AED89275FF7B1C314
SHA-512:	024F6C6BF6E5D194789E0F1F556D9FA53531506E14078764C56A59A292237384984E13EB56D8CB76A8913E219DDB281BCCB68898FB990DC271E0F95C074D3C3D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...6.}g..........".................w.............@.......................................@...@.......@.....................d...\|....@.......................@...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...@...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Download File

Process:	C:\Users\user\AppData\Local\asset\proximobuccal.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.4104341504687166
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1ElW8M68dnriIM8lfQVn:DsO+vNloRKQ1El3BKmA2n
MD5:	2E5131DB4BCBBC13A2CFBFC7933B5027
SHA1:	7FF3D0CB44E3AD8A58E2C23514FE471C543D821E
SHA-256:	FF774516DEFA4E2121DA6CBF13E522659304308CB84199C6E1C94C1B279301AE
SHA-512:	C8121F602A3627CA2D5679AFF8EBBA399D080DBC703F3ABDBAEF0006262A3D8D929B899CEE0F611EB11547261EDEFAC1C1EF752C414004C00960FD35976D4FD6
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.s.s.e.t.\.p.r.o.x.i.m.o.b.u.c.c.a.l...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.084477508834869
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ungziped_file.exe
File size:	1'205'760 bytes
MD5:	294aa30e1d8387a1f810490c59907228
SHA1:	5d6b402745679b55132ee21e7f09909b57ddf694
SHA256:	bd359e9c378164ced9b83d3b0e76f94bda81911fd848b44aed89275ff7b1c314
SHA512:	024f6c6bf6e5d194789e0f1f556d9fa53531506e14078764c56a59a292237384984e13eb56d8cb76a8913e219ddb281bccb68898fb990dc271e0f95c074d3c3d
SSDEEP:	24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8a8zoYdLVBTA4dinbn:tTvC/MTQYxsWR7a8z5AGg
TLSH:	BE45BF027381D062FFAB92334F5AF6115BBC69260123E61F13A81DB9BD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677DC336 [Wed Jan 8 00:13:42 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6F6C8FF463h
jmp 00007F6F6C8FED6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6F6C8FEF4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6F6C8FEF1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6F6C901B0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6F6C901B58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6F6C901B41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4fbf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4fbf4	0x4fc00	fa8042f37e802034efd6601ddfb67693	False	0.9180391604623824	data	7.870796734751963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x46ebc	data			1.0003304738168348
RT_GROUP_ICON	0x123674	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1236ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x123700	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x123714	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123728	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x123804	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:30:24.928345+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-08T12:30:27.959628+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.130.0	80	TCP
2025-01-08T12:30:28.533830+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	188.114.96.3	443	TCP
2025-01-08T12:30:29.131519+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-08T12:30:30.209716+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-08T12:30:33.240837+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	193.122.130.0	80	TCP
2025-01-08T12:30:35.037713+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49739	193.122.130.0	80	TCP
2025-01-08T12:30:35.618700+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49746	188.114.96.3	443	TCP
2025-01-08T12:30:37.147091+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49749	193.122.130.0	80	TCP
2025-01-08T12:30:37.426321+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49751	188.114.96.3	443	TCP
2025-01-08T12:30:39.566829+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	55704	188.114.96.3	443	TCP
2025-01-08T12:30:40.955256+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	55707	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:19.332747936 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:19.337577105 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:19.337697983 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:19.337946892 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:19.342720985 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:23.361090899 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:23.365665913 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:23.370501041 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:24.874818087 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:24.928344965 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:25.110726118 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.110771894 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.110843897 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.121128082 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.121145010 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.582961082 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.583081961 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.598644018 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.598666906 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.599128008 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.647059917 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.686404943 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.731334925 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.792880058 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.792948008 CET	443	49731	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:25.792996883 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.806631088 CET	49731	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:25.811466932 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:25.816318035 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:27.916646004 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:27.921886921 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:27.921938896 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:27.922024965 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:27.922360897 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:27.922374964 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:27.959628105 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.396536112 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:28.423599958 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:28.423628092 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:28.533874035 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:28.533962011 CET	443	49732	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:28.534068108 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:28.534533024 CET	49732	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:28.592261076 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.596180916 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.597296953 CET	80	49730	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:28.597352982 CET	49730	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.600996971 CET	80	49733	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:28.601088047 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.601200104 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:28.605954885 CET	80	49733	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:29.082607031 CET	80	49733	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:29.084168911 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.084206104 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.084275007 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.084548950 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.084566116 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.131519079 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.556859016 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.558439016 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.558459044 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.694242001 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.694308996 CET	443	49734	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:29.694358110 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.695231915 CET	49734	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:29.702425957 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.704416037 CET	49735	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.707365036 CET	80	49733	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:29.707432032 CET	49733	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.709193945 CET	80	49735	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:29.709271908 CET	49735	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.709361076 CET	49735	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:29.714193106 CET	80	49735	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:30.161007881 CET	80	49735	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:30.162183046 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.162230968 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.162308931 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.162539959 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.162550926 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.209716082 CET	49735	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:30.614898920 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.617578030 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.617599964 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.753298998 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.753370047 CET	443	49736	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:30.753418922 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.753963947 CET	49736	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:30.759092093 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:30.763900995 CET	80	49737	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:30.763977051 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:30.764106989 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:30.768903971 CET	80	49737	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:32.413836002 CET	80	49737	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:32.415184021 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:32.415225029 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:32.415322065 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:32.415576935 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:32.415591955 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:32.456749916 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:32.459568977 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:32.461570978 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:32.461637974 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:32.462141991 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:32.466905117 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:32.878142118 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:32.879940033 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:32.879968882 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.008348942 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.030714035 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.030798912 CET	443	49738	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.030885935 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.031578064 CET	49738	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.049751043 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.051564932 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.053359032 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.054780006 CET	80	49737	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.054830074 CET	49737	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.056339025 CET	80	49740	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.056401014 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.056689024 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.061475992 CET	80	49740	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.082642078 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.087488890 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.186990976 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:33.224409103 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.224455118 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.224570036 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.228812933 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.228831053 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.240837097 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.701749086 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.701864958 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.703748941 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.703758955 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.704073906 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.756501913 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.764575958 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.807326078 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.875833988 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.875927925 CET	443	49742	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:33.876030922 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.880568981 CET	49742	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:33.884865999 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:33.889691114 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:34.735635996 CET	80	49740	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:34.737241030 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.737276077 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:34.737366915 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.737668037 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.737683058 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:34.738559008 CET	80	49740	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:34.738620043 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:34.989317894 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:34.991976023 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.992007971 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:34.992067099 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.992347956 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:34.992363930 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.037713051 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.191677094 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.193413973 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.193435907 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.329107046 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.329186916 CET	443	49744	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.329335928 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.329706907 CET	49744	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.333477020 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.334913015 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.338512897 CET	80	49740	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:35.338593960 CET	49740	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.339818954 CET	80	49748	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:35.339925051 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.340045929 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.344830036 CET	80	49748	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:35.470652103 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.483433962 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.483458996 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.618655920 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.618735075 CET	443	49746	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:35.618824005 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.619261026 CET	49746	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:35.623970985 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.625165939 CET	49749	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.628909111 CET	80	49739	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:35.628973961 CET	49739	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.630034924 CET	80	49749	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:35.630120993 CET	49749	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.630215883 CET	49749	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:35.634932995 CET	80	49749	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:36.804991007 CET	80	49748	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:36.806713104 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:36.806766033 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:36.807019949 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:36.807326078 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:36.807343006 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:36.850207090 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:36.997981071 CET	55697	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:37.002954960 CET	53	55697	1.1.1.1	192.168.2.4
Jan 8, 2025 12:30:37.003055096 CET	55697	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:37.007852077 CET	53	55697	1.1.1.1	192.168.2.4
Jan 8, 2025 12:30:37.094985008 CET	80	49749	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:37.096466064 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.096510887 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.096615076 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.096909046 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.096930027 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.147090912 CET	49749	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.262485981 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.273850918 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.273884058 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.426333904 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.426409006 CET	443	49751	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.426664114 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.426944971 CET	49751	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.430578947 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.431571960 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.435564041 CET	80	49748	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:37.435633898 CET	49748	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.436428070 CET	80	55700	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:37.436570883 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.436609983 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.441342115 CET	80	55700	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:37.494031906 CET	55697	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:37.499193907 CET	53	55697	1.1.1.1	192.168.2.4
Jan 8, 2025 12:30:37.500643015 CET	55697	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:37.564975977 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.573115110 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.573137045 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.692142963 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.692199945 CET	443	55698	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:37.692313910 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.692815065 CET	55698	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:37.697628021 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.702481985 CET	80	55701	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:37.702594995 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.702688932 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:37.707523108 CET	80	55701	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.185153008 CET	80	55701	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.186580896 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.186634064 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.186826944 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.187114954 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.187129021 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.228044033 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.643836021 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.652780056 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.652793884 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.780283928 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.780347109 CET	443	55702	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.780426979 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.781110048 CET	55702	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.785320044 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.786545992 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.790344000 CET	80	55701	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.790411949 CET	55701	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.791374922 CET	80	55703	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.791449070 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.791553974 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:38.796318054 CET	80	55703	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.959744930 CET	80	55700	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:38.963188887 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.963243961 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:38.963345051 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.963606119 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:38.963618994 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.006508112 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.245886087 CET	80	55703	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:39.247328043 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.247366905 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.247453928 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.247802973 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.247811079 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.287827015 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.415374994 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.424278975 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.424324989 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.566849947 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.566911936 CET	443	55704	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.567141056 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.567647934 CET	55704	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.736809015 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.738667965 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.738686085 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.885346889 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.885425091 CET	443	55705	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:39.885538101 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.886209011 CET	55705	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:39.889766932 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.890845060 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.894771099 CET	80	55703	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:39.894890070 CET	55703	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.895641088 CET	80	55706	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:39.895725965 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.895998955 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:39.900722027 CET	80	55706	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:40.350322008 CET	80	55706	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:40.351651907 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.351674080 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.351742983 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.352025986 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.352036953 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.397111893 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.805116892 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.806901932 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.806916952 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.955323935 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.955387115 CET	443	55707	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:40.955459118 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.956016064 CET	55707	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:40.959105015 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.960253954 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.964088917 CET	80	55706	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:40.964160919 CET	55706	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.965046883 CET	80	55708	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:40.965120077 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.965224028 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:40.969997883 CET	80	55708	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:41.443212032 CET	80	55708	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:41.444484949 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:41.444528103 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:41.444597960 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:41.444840908 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:41.444858074 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:41.490812063 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:41.949954033 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:41.952095032 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:41.952126026 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:42.085216045 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:42.085280895 CET	443	55709	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:42.085330009 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:42.085720062 CET	55709	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:42.093444109 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:42.094814062 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:42.098618031 CET	80	55708	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:42.098721027 CET	55708	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:42.099620104 CET	80	55710	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:42.099724054 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:42.099880934 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:42.104671955 CET	80	55710	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:44.737279892 CET	80	55710	193.122.130.0	192.168.2.4
Jan 8, 2025 12:30:44.738878965 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:44.738920927 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:44.739000082 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:44.739336014 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:44.739351034 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:44.787708044 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:30:45.195254087 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:45.196867943 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:45.196890116 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:45.345149994 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:45.345221996 CET	443	55711	188.114.96.3	192.168.2.4
Jan 8, 2025 12:30:45.345278025 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:30:45.345758915 CET	55711	443	192.168.2.4	188.114.96.3
Jan 8, 2025 12:31:35.165072918 CET	80	49735	193.122.130.0	192.168.2.4
Jan 8, 2025 12:31:35.165188074 CET	49735	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:31:42.094921112 CET	80	49749	193.122.130.0	192.168.2.4
Jan 8, 2025 12:31:42.094976902 CET	49749	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:31:43.958801031 CET	80	55700	193.122.130.0	192.168.2.4
Jan 8, 2025 12:31:43.958925009 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:31:49.737332106 CET	80	55710	193.122.130.0	192.168.2.4
Jan 8, 2025 12:31:49.739851952 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:32:19.002374887 CET	55700	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:32:19.007319927 CET	80	55700	193.122.130.0	192.168.2.4
Jan 8, 2025 12:32:24.740926027 CET	55710	80	192.168.2.4	193.122.130.0
Jan 8, 2025 12:32:24.745851040 CET	80	55710	193.122.130.0	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:19.312139988 CET	50560	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:19.319005966 CET	53	50560	1.1.1.1	192.168.2.4
Jan 8, 2025 12:30:25.102833986 CET	57135	53	192.168.2.4	1.1.1.1
Jan 8, 2025 12:30:25.110017061 CET	53	57135	1.1.1.1	192.168.2.4
Jan 8, 2025 12:30:36.997550011 CET	53	62762	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:19.312139988 CET	192.168.2.4	1.1.1.1	0x1d88	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:25.102833986 CET	192.168.2.4	1.1.1.1	0x9bcf	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:19.319005966 CET	1.1.1.1	192.168.2.4	0x1d88	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:25.110017061 CET	1.1.1.1	192.168.2.4	0x9bcf	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:25.110017061 CET	1.1.1.1	192.168.2.4	0x9bcf	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:19.337946892 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:23.361090899 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 46c3a3f4e4c8dd4341859c6b0b0e8380 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:23.365665913 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:24.874818087 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b95c3febf3e854ef384689e3165376f1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:25.811466932 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:27.916646004 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 85ce0dd424a91125b91b5247e8c90dd1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:28.601200104 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:29.082607031 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 53d07189b8802c52ba0a010fe43621e5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:29.709361076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:30.161007881 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2bf15e377b8faa5638cf8097c091790f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:30.764106989 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:32.413836002 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 59e7750b7871dd745eff0453a0c9efd9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:32.462141991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:33.008348942 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d5e838ab6eed20ffadbb48e61dd98fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:33.082642078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:33.186990976 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e6d4485d22aef0bee953f237ffdaa5f1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:33.884865999 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:34.989317894 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b23079b6ed05d6f40b5b3a71f4546899 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:33.056689024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:34.735635996 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 215d963e8bfbe035b67e98a6e9ba1db5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:34.738559008 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 215d963e8bfbe035b67e98a6e9ba1db5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:35.340045929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:36.804991007 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aefa2ff205bcbb4757a7c9a82704c831 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:35.630215883 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:37.094985008 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 11c4b04b21178ea3657b6aa7671c765d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	55700	193.122.130.0	80	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:37.436609983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:38.959744930 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 17704b453dd794d283d140904393fafd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	55701	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:37.702688932 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:38.185153008 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b602b12a3a34c841b76290ea34579843 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	55703	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:38.791553974 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:39.245886087 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 173487c5ba4dc631844938a93e3f0510 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	55706	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:39.895998955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:40.350322008 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 53617d01213dec6350d849823e2498f4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	55708	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:40.965224028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:41.443212032 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f915f30c30ef1cae8cb927f90280e2cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	55710	193.122.130.0	80	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:42.099880934 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:44.737279892 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 70039f43c58789ac5f572597ac757eda Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:25 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650614 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kPF%2FHvBFoLMyMJpUcV0ZGjG6e6QScdjcjIJYLAHsLyKFXsMNqPP3hkZHDmfFLjDIESoWCyKjKYuT0brntO1L%2F2GnRR68pcfFQsjmsyUurRggkXcUJTn02hWMjXgn89X0LDP%2BuHX3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdafedd2343ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1560&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1801357&cwnd=224&unsent_bytes=0&cid=0a6614dca49b0e44&ts=222&x=0"
2025-01-08 11:30:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 11:30:28 UTC	867	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650617 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2B4Q%2BC5XpZaKbI8vbi8tGxvRVMhMVUm%2B2zTEO0PuEmp9mnmZ7Z4PBEP%2FPx3a9ln1ghwcoCozx1Vrb%2Fx3NGnbo7c4JARZgSJ2OYn%2Bf9cLd0Q%2FFJyvv5MFUwzYl%2F2mD%2FQojFFGyfQn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb0ffc494391-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1577&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1808049&cwnd=237&unsent_bytes=0&cid=13ac0874977a45a4&ts=143&x=0"
2025-01-08 11:30:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:29 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HiklCpTm8ZCo3nh%2ByZnzJY2sROAiPMwXPZnMwpXgTeZqNP9Q%2B0EA528RX2Ix6DJEaB4LRlKryIQ%2BonZK4LT4j%2BJ2FHFuBKmPIm5HpcSNAFsBO9ugpjZqHEQJH090jOnVrFn0mgZd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb173e9e41de-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1681&rtt_var=647&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1670480&cwnd=225&unsent_bytes=0&cid=6e75c7f6d6617f0d&ts=140&x=0"
2025-01-08 11:30:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:30 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650619 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qOxJhIKB9nuhrxvn%2Bjs%2BKbtqZn1Kpdmz1Z79jRV7%2FhMkvKVs%2BUKvHGJr%2F9NUIZ9bbfIf4Az5HWRbhTpVrGkn5l1xYzQ2%2BfJBWfOiehtNSKGMrvLBzHfcYksw3ALyDGO2zvHXdhnW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb1dd9730f59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1570&rtt_var=603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1792510&cwnd=224&unsent_bytes=0&cid=64f69c6c76d8575c&ts=141&x=0"
2025-01-08 11:30:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:33 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650622 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=onjpvbXagwWzILMZ%2F1%2F9fjxmFmr%2BjHv8Beuuv9OHliCP2idLFoQboBZfj0P1ISoeVZCnzIR49mm3LHrz%2FNvtJJkOwKV%2BieU%2FNXbdqLTxeJnt3iYcCLnPuF36RT6K52uSUMVQS1Pc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb2c1bdb4289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1632&rtt_var=624&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1736028&cwnd=150&unsent_bytes=0&cid=649805b8c47742dc&ts=156&x=0"
2025-01-08 11:30:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:33 UTC	851	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650622 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oHkBDHms7ZBFhT7SdNR3iIqp9HZdrJrj8OtBR1GOJyQvCLIEESP5i8WXm6WzyckSKlycpp5CCtA3ViyCYZhkJjDfIuU0%2BpOT01PIbSNKsXdhkiVLcJFy518Gs40bndqYMof657w4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb315a82c338-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1485&rtt_var=581&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1844598&cwnd=228&unsent_bytes=0&cid=3707a533d6bb3d4f&ts=184&x=0"
2025-01-08 11:30:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:35 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650624 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JKD1dBokGTlG0T%2Fja4tolDUBT7ALe4wNgcArovvZTfU0fqx%2FC1%2Fb0ahCoN%2BmF9X6eMT4l17QnD45KNuvzaCmkOgYrkpj2Uhzgo8WpN0rmTUR6QisaDPshjkK4GQoyaMs4WZ%2Bru%2Bw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb3a7b2842c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1694&rtt_var=705&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1723730&cwnd=151&unsent_bytes=0&cid=cdf6f2ef983eb3a6&ts=142&x=0"
2025-01-08 11:30:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:35 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 11:30:35 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650624 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cg%2Fl%2BlUDFOpvZu1ikvU%2BXmdODzE3D2Rsh3MTWJymEP6eHcPvvmR2F2GNuZuv%2FYdkOucRSwuJcqMBdgwAPllKaJCLmenZ8exbIGMhN0ZnIKPzQYX6SYGW5bkrlZ6azNIgiy5DEh%2Bh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb3c3d7cde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1682&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1712609&cwnd=242&unsent_bytes=0&cid=0a9358474497db70&ts=152&x=0"
2025-01-08 11:30:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 11:30:37 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650626 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9h04VxZLTjMES5O4P%2FN8L9qxAznwEYw5H99n1gNFRoOLxgW%2B7%2BPxiEipCj6wzyi6HCW2kjnTAMQr4%2Ftg7jHEeVXju8R3BOdbekU32TCjrhAQgHbsw%2BcLChW0NURetSPQGTPjfBdc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb478f4472aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1936&min_rtt=1932&rtt_var=733&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1482986&cwnd=191&unsent_bytes=0&cid=74cb497777d684e1&ts=169&x=0"
2025-01-08 11:30:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	55698	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:37 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650626 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQUJG%2FtZAxf1NDgknWjErJ%2F9jnbwZ84oKzCOZEUAllQWGNC1uKRdHy2%2FTKMcMvhQ9BvGck4ZtiwnwQIjBddD%2FmZmImd5Mo7uOLYN6zdAX7hyuwsEzJmo%2B0dmcqSOoGjES7sD%2BVht"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb493d407cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1943&rtt_var=738&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1474003&cwnd=195&unsent_bytes=0&cid=df4c76adf8042fbc&ts=130&x=0"
2025-01-08 11:30:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	55702	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:38 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650627 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vvDyR1Upu7wh9aPSTX7nDJMKGepnGyHqcENbr3F1dSXv0xuqQBJ1L94McXElu38kiZsCRA4UPuUvC7Z0Ot94lrjL40%2BfHHYCSU8xEvEYeQne%2BwPeSKFwfOQW19gPnTkmM9hGQ8NJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb50091c4375-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2336&min_rtt=2331&rtt_var=884&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1231547&cwnd=32&unsent_bytes=0&cid=3628756c5df07649&ts=143&x=0"
2025-01-08 11:30:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	55704	188.114.96.3	443	1216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 11:30:39 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650628 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r5YGc3im%2BGYVkL9mqEaHuvuMfYHSlIpUnI71xFRWn5q5EX2k8ob1G39TZdxcsSV9t%2BXbK7gtcZ3199BW%2BkyCIvNBcc8fv%2B9HPXM7P9v68UxTryUKh3F6frq8j6EtABwYFZ5lFP8f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb54e9f442b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2441&min_rtt=2439&rtt_var=919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1188925&cwnd=221&unsent_bytes=0&cid=083653b915c027f0&ts=155&x=0"
2025-01-08 11:30:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	55705	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:39 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650628 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=98UxyRNpkgS1CwSe4uT%2B1%2Bz%2Bo1Zv9i6Mwi4LuRtXMCGVJFjlZONJiewBSSWn7Yn87fcjDVx8%2FmizIhd%2BX5SA9vnBJXlIMO08SeCV8E41EgqZOPig1eJkNRuQdsfMDmNulB4HHDE%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb56f8a043f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1600&rtt_var=629&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1825000&cwnd=194&unsent_bytes=0&cid=52bbad84e78a32f4&ts=152&x=0"
2025-01-08 11:30:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	55707	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 11:30:40 UTC	853	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650630 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9V25LIsOWDd7CkdY%2BG8IQC1r6risgnFJX0KglRVOhe%2FyQJ5dwdxQe6puoXu4xECQBRRjPFDMbPWCdU7EBILiDKX53j5l2p6XiYHOfaAafQyvV3IxOrA3Uz742T17ZlWOH8U2ha4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb5d882d4289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1781&min_rtt=1768&rtt_var=672&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1651583&cwnd=150&unsent_bytes=0&cid=04a3708c1fc7082e&ts=153&x=0"
2025-01-08 11:30:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	55709	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:42 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650631 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BZ%2FEsptCHWXY2sMdkh88e7SC7Npcvk%2FCKQ6mn4GnFplHp5b0jR7j9FB46eFyt0DbMmyJ8kOIdF842BQqhSXRYALnUyj3x6ygEddD5TsDBzCbVDns%2F46JAFBshupoGjsPzwIPkLA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb64ae3b5e78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1723&rtt_var=660&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1639528&cwnd=252&unsent_bytes=0&cid=610e8703eb67ace1&ts=139&x=0"
2025-01-08 11:30:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	55711	188.114.96.3	443	5688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:45 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650634 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6AQ2R0UoISUU1dbANw68moXz%2Bp7x8bTeAZngxwGsQMBKNLti5UxsWu3EI59IjM%2FFGbxTNckjMsX8wsxr%2Bx9bgume3qKHomD0uBA%2FCWIDDjsVurn2vfcenvzDc4C7383KAFxwQdf3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb791fa741f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2187&min_rtt=2187&rtt_var=821&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1331509&cwnd=216&unsent_bytes=0&cid=d228f4d6fdd9e73d&ts=155&x=0"
2025-01-08 11:30:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	06:30:15
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\ungziped_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ungziped_file.exe"
Imagebase:	0xfb0000
File size:	1'205'760 bytes
MD5 hash:	294AA30E1D8387A1F810490C59907228
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:30:16
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\asset\proximobuccal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ungziped_file.exe"
Imagebase:	0xab0000
File size:	1'205'760 bytes
MD5 hash:	294AA30E1D8387A1F810490C59907228
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.1879783785.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:30:17
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ungziped_file.exe"
Imagebase:	0xb70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4311077645.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4311077645.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4309892983.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	06:30:28
Start date:	08/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs"
Imagebase:	0x7ff7a0ab0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:30:29
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\asset\proximobuccal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\asset\proximobuccal.exe"
Imagebase:	0xab0000
File size:	1'205'760 bytes
MD5 hash:	294AA30E1D8387A1F810490C59907228
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.2011430670.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:30:30
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\asset\proximobuccal.exe"
Imagebase:	0x3b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4311009669.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4311009669.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	3.6%
Total number of Nodes:	1530
Total number of Limit Nodes:	46

Executed Functions

Function 00FB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FB430D

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

GetCurrentProcess.KERNEL32(?,0104CB64,00000000,?,?), ref: 00FB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FB4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FB44A0

Strings

|O, xrefs: 00FF36F8
kernel32.dll, xrefs: 00FB444F
GetNativeSystemInfo, xrefs: 00FB4460

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a1b127b1bdc3d2bd63358ad9ce2a18c36060f5f6256971568631e1d1193203f
Instruction ID: 6859cad03b5dea153378e9071c39d8632e765cdad9135644c9eceb64304931fd
Opcode Fuzzy Hash: 0a1b127b1bdc3d2bd63358ad9ce2a18c36060f5f6256971568631e1d1193203f
Instruction Fuzzy Hash: A5A1C576D0E2D4DFC731D76AB1806ED7FA46F26710B08C899D4C1A3A0AD27E4506EFA1

Function 00FB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FB50AA,?,?,00000000,00000000), ref: 00FB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FB50AA,?,?,00000000,00000000), ref: 00FB42C9
LoadResource.KERNEL32(?,00000000,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20), ref: 00FF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20), ref: 00FF35D3
LockResource.KERNEL32(00FB50AA,?,?,00FB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FB4F20,?), ref: 00FF35E6

Strings

SCRIPT, xrefs: 00FB42BF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 14b5ff9088eb1140d1266704a69fa86ae0d0d25ab84920a73ce2e3e44dededc0
Instruction ID: 3b7d98ccdad3cced64a54caf232b0a86c90f338852ef37b41d7d6c788703b9bf
Opcode Fuzzy Hash: 14b5ff9088eb1140d1266704a69fa86ae0d0d25ab84920a73ce2e3e44dededc0
Instruction Fuzzy Hash: 0F11A0B4301700BFE7218FA6DE89F677BB9EBC5B51F14416DB84686150DB71EC00AA30

Function 00FF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FB2B6B

Part of subcall function 00FB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01081418,?,00FB2E7F,?,?,?,00000000), ref: 00FB3A78

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01072224), ref: 00FF2C10
ShellExecuteW.SHELL32(00000000,?,?,01072224), ref: 00FF2C17

Strings

runas, xrefs: 00FF2C0B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 302b5eca72b9189429d10534ab61eb01c5472b13fc07dc26d9ce324ef5a69d09
Instruction ID: 55b7b9e9257df595bc8c7fc487501799741bcf576927728ebf4291019599ff51
Opcode Fuzzy Hash: 302b5eca72b9189429d10534ab61eb01c5472b13fc07dc26d9ce324ef5a69d09
Instruction Fuzzy Hash: EB11DF316083056AC714FF66DC919EE7BA4AFD5310F48541DF2C2060A2CF398A4AAB12

Function 00FBD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FBD807
timeGetTime.WINMM ref: 00FBDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBDB28
TranslateMessage.USER32(?), ref: 00FBDB7B
DispatchMessageW.USER32(?), ref: 00FBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FBDB9F
Sleep.KERNEL32(0000000A), ref: 00FBDBB1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bced70801e95b5a3b8286efc21594827a5ae0e5b747e82411ef7eb3bf41d2dd6
Instruction ID: fe8b1fb6ecd66bee2dbe6925207ae2133e8fd652d9cb2bdfd06f7f5acbdbc70b
Opcode Fuzzy Hash: bced70801e95b5a3b8286efc21594827a5ae0e5b747e82411ef7eb3bf41d2dd6
Instruction Fuzzy Hash: 1C420370608242EFE72ACF25C888BAABBE0BF85314F14855DE4D587291E775E844DF92

Function 00FB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB2D07
RegisterClassExW.USER32(00000030), ref: 00FB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB2D6F
LoadIconW.USER32(000000A9), ref: 00FB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB2D94

Strings

+, xrefs: 00FB2CF0
TaskbarCreated, xrefs: 00FB2D37
AutoIt v3 GUI, xrefs: 00FB2D23
0, xrefs: 00FB2CE9

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 55dca9242f0cb2da827a2a9e9a61967a1f52a0db53d9cb9ab087b2fdda2155df
Instruction ID: f5100ae5c95c06c5dc6b0909c7bb5f16191c003559461e4d15ef46d38a611763
Opcode Fuzzy Hash: 55dca9242f0cb2da827a2a9e9a61967a1f52a0db53d9cb9ab087b2fdda2155df
Instruction Fuzzy Hash: 52211DB5D06308AFEB20DF94EA89BDD7BB4FB08700F00411AF5D1A6284D7BA0541CF50

Function 00FF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FF0704,?,?,00000000,?,00FF0704,00000000,0000000C), ref: 00FF03B7

GetLastError.KERNEL32 ref: 00FF076F
__dosmaperr.LIBCMT ref: 00FF0776
GetFileType.KERNELBASE(00000000), ref: 00FF0782
GetLastError.KERNEL32 ref: 00FF078C
__dosmaperr.LIBCMT ref: 00FF0795
CloseHandle.KERNEL32(00000000), ref: 00FF07B5
CloseHandle.KERNEL32(?), ref: 00FF08FF
GetLastError.KERNEL32 ref: 00FF0931
__dosmaperr.LIBCMT ref: 00FF0938

Strings

H, xrefs: 00FF08BD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8edfa7b03dcf0479a3263f6c3cef784981b6abd05ae5f5f24ea6f73e8ae00ed9
Instruction ID: d326fb06b4027cd46e0d7bd29020ef97df315792cce728fd10d3db573c9daee8
Opcode Fuzzy Hash: 8edfa7b03dcf0479a3263f6c3cef784981b6abd05ae5f5f24ea6f73e8ae00ed9
Instruction Fuzzy Hash: 45A16A32A041088FDF28AF68DC51BBD7BA1AF06320F140159F951DF3A2DB358D16EB91

Function 00FB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01081418,?,00FB2E7F,?,?,?,00000000), ref: 00FB3A78

Part of subcall function 00FB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FF31CE
RegCloseKey.ADVAPI32(?), ref: 00FF3210
_wcslen.LIBCMT ref: 00FF3277
_wcslen.LIBCMT ref: 00FF3286

Strings

\Include\, xrefs: 00FB3527
\, xrefs: 00FF328C
Include, xrefs: 00FF3184, 00FF31C5
Software\AutoIt v3\AutoIt, xrefs: 00FB3560

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d5467c6f69ac3c1c0ca2ae8a3590d38d0458c50bfb881daeba5feb5b65b3e053
Instruction ID: bda101b1985c7d382c5712cd1ad91126928c683063c04f8ed71a43cf5e420d80
Opcode Fuzzy Hash: d5467c6f69ac3c1c0ca2ae8a3590d38d0458c50bfb881daeba5feb5b65b3e053
Instruction Fuzzy Hash: 3D71BDB14083019EC324EF66EC919AFBBE8FF85750F40842EF5C593164EB799A48DB52

Function 00FB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FB2B9D
LoadIconW.USER32(00000063), ref: 00FB2BB3
LoadIconW.USER32(000000A4), ref: 00FB2BC5
LoadIconW.USER32(000000A2), ref: 00FB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB2BEF
RegisterClassExW.USER32(?), ref: 00FB2C40

Part of subcall function 00FB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FB2D07
Part of subcall function 00FB2CD4: RegisterClassExW.USER32(00000030), ref: 00FB2D31
Part of subcall function 00FB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB2D42
Part of subcall function 00FB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FB2D5F
Part of subcall function 00FB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB2D6F
Part of subcall function 00FB2CD4: LoadIconW.USER32(000000A9), ref: 00FB2D85
Part of subcall function 00FB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB2D94

Strings

#, xrefs: 00FB2C16
AutoIt v3, xrefs: 00FB2C2F
0, xrefs: 00FB2C0F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a56d8045ba2bd6ba624394af854d2975f1c1826c73637f06c311f7962e5ebd03
Instruction ID: a6f8cb13488f407fc2861dd46cd2e62d87a04ef6d822bc1da432b545bc7443c0
Opcode Fuzzy Hash: a56d8045ba2bd6ba624394af854d2975f1c1826c73637f06c311f7962e5ebd03
Instruction Fuzzy Hash: 82214CB4E05314AFDB20DFA6E985ADD7FB5FF08B50F00801AE580A6694D7BA0541DF90

Function 00FB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FB316A,?,?), ref: 00FB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FB316A,?,?), ref: 00FB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FB316A,?,?), ref: 00FB3232
CreatePopupMenu.USER32 ref: 00FB3246
PostQuitMessage.USER32(00000000), ref: 00FB3267

Strings

TaskbarCreated, xrefs: 00FB322D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6d1d60b67c2d9360c9375bb3d4510e225e84949a35cb2280157dd6f6a4e10193
Instruction ID: b7d8a6a2f82ef0343541df37678944850c15dd26cccbc8a88805b128e9aa9a48
Opcode Fuzzy Hash: 6d1d60b67c2d9360c9375bb3d4510e225e84949a35cb2280157dd6f6a4e10193
Instruction Fuzzy Hash: 84412B36AC8204ABDB246B7DDE4ABFD3A1DFF05350F044119F5C2C5295CB7A8A41BB61

Function 01651350 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01651395

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: db2ac73199d9c54bd8278c17b4ada0d8e22d2170a9a33a0eaff21163aee2800d
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: D3511A75A10208FBEF60DFE4CC89FDE7778AF48705F108554FA0AEA280DA749A45CB60

Function 00FB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FB1CAD,?), ref: 00FB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FB1CAD,?), ref: 00FB2CCF

Strings

edit, xrefs: 00FB2CAC
AutoIt v3, xrefs: 00FB2C89, 00FB2C8E, 00FB2C8F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9b652c30a58f513b57dee2ab85593c0ad60f7877e2449ec92202fc697cce22a5
Instruction ID: 9eef1ebefd3428ece72a3636da0b4b6219304289dce549b90863c9c8fc02daf1
Opcode Fuzzy Hash: 9b652c30a58f513b57dee2ab85593c0ad60f7877e2449ec92202fc697cce22a5
Instruction Fuzzy Hash: A8F03AB95443907FEB300713AC4CEBB2EBDEBC6F50B00806EF980A2154C27A0842DBB0

Function 01652E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01652D00: Sleep.KERNELBASE(000001F4), ref: 01652D11

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01652F07

Strings

HBFRCBB3AE, xrefs: 01652F87, 01652F8A

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: CreateFileSleep
String ID: HBFRCBB3AE
API String ID: 2694422964-2518697112
Opcode ID: 3a262479836e0cfe4ba1cad0495b77d1b703d997a8d46dbac2d1c79acbbf0287
Instruction ID: c106ad22a63cc6deea3c435fa02a94e2d4892751bd8e0c178b7248c20d03ce3a
Opcode Fuzzy Hash: 3a262479836e0cfe4ba1cad0495b77d1b703d997a8d46dbac2d1c79acbbf0287
Instruction Fuzzy Hash: 2A519471D4420ADBEF51DBA4DC14BEEBB79AF09300F004198E609BB2C0D7795B45CBA5

Function 00FB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FB3B0F,SwapMouseButtons,00000004,?), ref: 00FB3B83

Strings

Control Panel\Mouse, xrefs: 00FB3B3E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1cfe87a2388660b91f32fb4392ed20af733bc1c2f6dc9684dace6ae2700a6c7f
Instruction ID: 04be811b27ecdde99211f09479afb64f1152d386757e5b8690442a7fbfafa312
Opcode Fuzzy Hash: 1cfe87a2388660b91f32fb4392ed20af733bc1c2f6dc9684dace6ae2700a6c7f
Instruction Fuzzy Hash: 26115AB5551208FFDB208FA6DD84AEEB7B8EF41750B108559B801D7118D6319E40AB60

Function 00FBDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 010032B7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 34f0dfcac10bfe62256ee5e75702f0e4bbe1091f5588895af2b160c14cee4d02
Instruction ID: e1981b755b64bd48e1bc67addb01278761d643315226220ee4898fbd7d9f6da7
Opcode Fuzzy Hash: 34f0dfcac10bfe62256ee5e75702f0e4bbe1091f5588895af2b160c14cee4d02
Instruction Fuzzy Hash: F5C26575E00215CFDB25CF59C881BEDBBF1BB08310F288169E986AB291D735AD41EF91

Function 00FB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FF33A2

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB3A04

Strings

Line: , xrefs: 00FF33EB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8b2f9333e46c55b3e55e57b178362774547c038f635b8f09e44adf6c8ae1350d
Instruction ID: 6654dbb603b4d90e8a5defa777c19e7bba614eec129ca972a1b7ebcc2953e8c8
Opcode Fuzzy Hash: 8b2f9333e46c55b3e55e57b178362774547c038f635b8f09e44adf6c8ae1350d
Instruction Fuzzy Hash: D631C071848304AFD725EB21DC45BEFB7E8AF40720F14452AF5D982185EF789A49EBC2

Function 00FCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FD0668

Part of subcall function 00FD32A4: RaiseException.KERNEL32(?,?,?,00FD068A,?,01081444,?,?,?,?,?,?,00FD068A,00FB1129,01078738,00FB1129), ref: 00FD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FD0685

Strings

Unknown exception, xrefs: 00FD0692

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f65bcbc4c885394cf2eb6396a8f97332224b8c233552ce993fef78d61fb09512
Instruction ID: 36285d33cfe3879bed652e2163e5be638c66d7f92c0e407da3e3769c28c03b45
Opcode Fuzzy Hash: f65bcbc4c885394cf2eb6396a8f97332224b8c233552ce993fef78d61fb09512
Instruction Fuzzy Hash: 91F02834C0020E73CB00B664EC4AF5DB76F6E00320F584037B91586691EF34DA29E580

Function 01651A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01651A75
ExitProcess.KERNEL32(00000000), ref: 01651A94

Strings

D, xrefs: 01651A41

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction ID: d75da851ba5df4bca9b7225c846a909adac3e17384bac26bd4316b58d012d278
Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction Fuzzy Hash: 98F0EC7154024DABDB60EFE4CC49FEE777CBF04701F008509BE0A9A184DA7496488B65

Function 01037F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010382F5
TerminateProcess.KERNEL32(00000000), ref: 010382FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 010384DD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 09c66d377fe31ea2c45e81f375def1e26df9c2bb9742a29497386dadf31a747b
Instruction ID: 817f4a1561acdb12579ec4a990b89c3ea5d3b59996248d630a1002d7f904accc
Opcode Fuzzy Hash: 09c66d377fe31ea2c45e81f375def1e26df9c2bb9742a29497386dadf31a747b
Instruction Fuzzy Hash: 77126B719083019FD754DF28C484B6ABBE5BFC4314F04899EF9898B252DB35E945CF92

Function 00FB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB1BF4
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB1BFC
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB1C07
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB1C12
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB1C1A
Part of subcall function 00FB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB1C22

Part of subcall function 00FB1B4A: RegisterWindowMessageW.USER32(00000004,?,00FB12C4), ref: 00FB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FB136A
OleInitialize.OLE32 ref: 00FB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FF24AB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 338d7666c51c0ab7757c3a8754af4bf3bf0cd42328aad80279ec371728813aef
Instruction ID: 4acd64185be5f98dd889e5059016266c154f4862c332e709b64d0b742039d089
Opcode Fuzzy Hash: 338d7666c51c0ab7757c3a8754af4bf3bf0cd42328aad80279ec371728813aef
Instruction Fuzzy Hash: 9B71BCB491D200DFC3A4EF7AE9566993AE0BF48344758822AD0CAC7349EB3A4403DF64

Function 00FE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FE85CC,?,01078CC8,0000000C), ref: 00FE8704
GetLastError.KERNEL32(?,00FE85CC,?,01078CC8,0000000C), ref: 00FE870E
__dosmaperr.LIBCMT ref: 00FE8739

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 783ab2411e2fd6be9bf16170863f722d3459e235338bf653bd40801df04d6f16
Instruction ID: 2c7a6fad6f749b1421dc1127bc27971ac8479d564b0c0252f2dac04160d4f8ca
Opcode Fuzzy Hash: 783ab2411e2fd6be9bf16170863f722d3459e235338bf653bd40801df04d6f16
Instruction Fuzzy Hash: 70012B33E056E02AD7347236A945B7E774A4B81BF8F390119F81C9B1D3DEA98C82B251

Function 00FC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FC17F6

Strings

CALL, xrefs: 00FC17C6

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 06677b6f0364b928c098e4231e646ff01915e49816e22c5533ebe0c31c0cae54
Instruction ID: 39837e2781d8f52cd3dd4ce7cccd64a073c5035d090c8cf5b5e9ae0352dcbd08
Opcode Fuzzy Hash: 06677b6f0364b928c098e4231e646ff01915e49816e22c5533ebe0c31c0cae54
Instruction Fuzzy Hash: B4228E705082029FD714DF14C981F2ABBF2BF86314F18895DF4968B392D736E865DB92

Function 00FB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FF2C8C

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 00FB2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB2DC4

Strings

X, xrefs: 00FF2C5A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 66d792267aaac53cfe796c0951cc60e0565ba82f09427e3f49dcf5f8e56cbab2
Instruction ID: da95d987334e758308e8e0857df53b78302a6f50d1afca7ae3f94128068d6fe9
Opcode Fuzzy Hash: 66d792267aaac53cfe796c0951cc60e0565ba82f09427e3f49dcf5f8e56cbab2
Instruction Fuzzy Hash: 9B21F071E002489FDB41EF95CC45BEE7BF8AF48310F00801AE545A7281DBB89A899FA1

Function 00FB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB3908

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 53c8255c3cb495a6b538bf21962e196a238bf6fe5cda1c71030c2104e82eef42
Instruction ID: 96cd740c46ba613721d9ad0044aa47d78b73189b9a05044113bffe3c521daecb
Opcode Fuzzy Hash: 53c8255c3cb495a6b538bf21962e196a238bf6fe5cda1c71030c2104e82eef42
Instruction Fuzzy Hash: 63317AB19443019FE320DF25D58479ABBE8FB49718F00092EE5DA83240E776AA44DB52

Function 00FB5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FB949C,?,00008000), ref: 00FB5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00FB949C,?,00008000), ref: 00FF4052

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 77216107de69c47d2aad7fd4208b19c4e0dc284c997318364a37ef0ccba2d13c
Instruction ID: f9a48aec11658ca3d05ec938a25c8743690708e6139096bebab2d1b80cd726fc
Opcode Fuzzy Hash: 77216107de69c47d2aad7fd4208b19c4e0dc284c997318364a37ef0ccba2d13c
Instruction Fuzzy Hash: 92018431645225B6E3304A26CD0EF977F54DF02B70F108200BF9D5A1E0CBB85454DB90

Function 00FBB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FBBB4E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f72cd0a90763d993c7780efc4ae5b11637ea570dbd3bc4c03138ccc839aeb04f
Instruction ID: 8e09f79535057b571f619e21c842a54cb71d5447a6adc6a327705408e153a3ad
Opcode Fuzzy Hash: f72cd0a90763d993c7780efc4ae5b11637ea570dbd3bc4c03138ccc839aeb04f
Instruction Fuzzy Hash: BE32CA31A042099FEB21CF19C894BFEB7B9EF44350F148059E986AB295C7B8ED41DF91

Function 0103709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: de78144f6cf156bfa60024956e859eed7cd27caa3bfe8312c5d4800ede44b281
Instruction ID: a427c485ac939a9b6978b0a64c5c3f108187252b2f0d7df103a25060131cb727
Opcode Fuzzy Hash: de78144f6cf156bfa60024956e859eed7cd27caa3bfe8312c5d4800ede44b281
Instruction Fuzzy Hash: CED16F75A0020AEFCB14DF99C881DEDBBB9FF48310F148159E945AB292DB35AD81CF90

Function 01651AA0 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 01651310: GetFileAttributesW.KERNELBASE(?), ref: 0165131B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 01651BFC

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c9d58ccd84fdbfbfa3eafbdf70cecb12d5b574fafb5878fb508b9ad16032a9a4
Instruction ID: abaa3cd68bbc9d0b91e84c86c65d47a816e2de772a8710f0e6bbb22a2e6cbcff
Opcode Fuzzy Hash: c9d58ccd84fdbfbfa3eafbdf70cecb12d5b574fafb5878fb508b9ad16032a9a4
Instruction Fuzzy Hash: 93519331A1120996EF14EFB0DC54BEF733AEF58300F108568AA09F7280E77A9B45C7A5

Function 00FCFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FCFD1F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6bc0c913df28e98115233ad91a3f9035d65d7afa528a8ca22a2b567085cf6d7c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: CB310A75A0010A9BC718CF59D581E69F7A2FF49310B6482A9E806CB651D731EEC5EBC0

Function 00FB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E9C
Part of subcall function 00FB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4EAE
Part of subcall function 00FB4E90: FreeLibrary.KERNEL32(00000000,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EFD

Part of subcall function 00FB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E62
Part of subcall function 00FB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4E74
Part of subcall function 00FB4E59: FreeLibrary.KERNEL32(00000000,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E87

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: eef8c7f1d735b931be025cb49d91ef1cd520b0d8e1c1e7ec2e2cc200d606453f
Instruction ID: f1197d086b067dd8a7a219fa3e6aea813014a579548c5db1c085bebe73029bb2
Opcode Fuzzy Hash: eef8c7f1d735b931be025cb49d91ef1cd520b0d8e1c1e7ec2e2cc200d606453f
Instruction Fuzzy Hash: 2A11C432600205ABDB14BB66DE12BED77A59F40B10F10442DF582AB1D2DE79EA45BF50

Function 00FE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FE8440

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 15127d39d69e2b889b8cdde5e7dcec624484c499b6545426ca566077e45a09e8
Instruction ID: 457297c24c14debe1e5dbc9bf67888c4e496f37d6f1d012afd7f960a2db6507a
Opcode Fuzzy Hash: 15127d39d69e2b889b8cdde5e7dcec624484c499b6545426ca566077e45a09e8
Instruction Fuzzy Hash: E811487190410AAFCB15DF59E9409DE7BF4EF48310F104059F808AB352DA31DA12DBA4

Function 00FE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FE4C7D: RtlAllocateHeap.NTDLL(00000008,00FB1129,00000000,?,00FE2E29,00000001,00000364,?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?), ref: 00FE4CBE

_free.LIBCMT ref: 00FE506C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 2f8bc668e807b379a321d451a00c0a1fb8ec51e418a24d07d612265820cea7a0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BB0126726047456BE3218E6A9C85A5AFBEDFB89370F25051DF284832C0EA70A805C6B4

Function 00FDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d4799f8d2652ab9252e78d002943ba0ed7cc5d456ab89455dcfed4f29d48fcb4
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C0F02D32521A1496C7313A6ACC05B5A339E9F52375F18071BF425973D2DB7CE802B9A6

Function 00FB9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB9CBD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: f6b24c3fb7873ecfde70f49cbf577a0c6885932a9dd24ac64f2ad8a7305e0600
Instruction ID: 0e3c124a0b0474b8c9eb2c82cca0feb56f7f9300a48bce514180792fcebc44f3
Opcode Fuzzy Hash: f6b24c3fb7873ecfde70f49cbf577a0c6885932a9dd24ac64f2ad8a7305e0600
Instruction Fuzzy Hash: 9AF0F4B36006016ED7149F29CC02FAABB95EB44760F10852AF619CB2D1DB75E4149AA0

Function 00FE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FB1129,00000000,?,00FE2E29,00000001,00000364,?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?), ref: 00FE4CBE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 55a6b2d496a5650680c94da0641fac8c51f7a6874b101c520c13630b7a4b3355
Instruction ID: a71da4327185e7545ff85a513fb66a574dd7c81abc2ef147df6958792852d035
Opcode Fuzzy Hash: 55a6b2d496a5650680c94da0641fac8c51f7a6874b101c520c13630b7a4b3355
Instruction Fuzzy Hash: D1F05932A032B067DB205F6B9C05F5A3789BF413B0B38411AB80AE7680CA34F800B2F0

Function 00FE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b4b52790ec55a5f1e68b3bb77e15c1be7d470a834ea269d91c001c04d472894
Instruction ID: b0f3d810b4ebbea906cab380615ed64d8450a594ce036a6332459f45bc7f8119
Opcode Fuzzy Hash: 6b4b52790ec55a5f1e68b3bb77e15c1be7d470a834ea269d91c001c04d472894
Instruction Fuzzy Hash: C2E0E5339012A467E73126679C0DB9A3749AF827B0F090122BC4593580CB25EF01B2E0

Function 00FB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4F6D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1baedd62199d1856567f1a4fb5ac92b8c2af5c3abb35860fa65455906474eb69
Instruction ID: 0040c522b8600feeb0e9167b6cd8951d06f55cf8a0ca4b95aa7e84a11ae02fb0
Opcode Fuzzy Hash: 1baedd62199d1856567f1a4fb5ac92b8c2af5c3abb35860fa65455906474eb69
Instruction Fuzzy Hash: B7F03071505751CFDB349F65D590962B7F4EF14329314897EE1EA83612C731A844EF10

Function 0101CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00FFEE51,01073630,00000002), ref: 0101CD26

Part of subcall function 0101CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0101CD19,?,?,?), ref: 0101CC59
Part of subcall function 0101CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0101CD19,?,?,?,?,00FFEE51,01073630,00000002), ref: 0101CC6E
Part of subcall function 0101CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0101CD19,?,?,?,?,00FFEE51,01073630,00000002), ref: 0101CC7A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: a134fd0a67536d95e03fbb851841300da0c7613ab28fc637613e8c8439816f21
Instruction ID: 803d7a6341552f4d8a3db087958e60c93497b09675f657f476e6a78164b3f7e1
Opcode Fuzzy Hash: a134fd0a67536d95e03fbb851841300da0c7613ab28fc637613e8c8439816f21
Instruction Fuzzy Hash: 43E0657A400704EFD7219F4ADA4089ABBF8FF85250710852FE995C2114D375EA14DB60

Function 00FB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB2DC4

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 01ba094a58b4bad517a5672440bd9afcaf9fa1279bb7ea914fa0895def6f4f2b
Instruction ID: 74eb3525a45df9afba405ddf22f6e75de80f04af22ec627e5b7426c1b8c34258
Opcode Fuzzy Hash: 01ba094a58b4bad517a5672440bd9afcaf9fa1279bb7ea914fa0895def6f4f2b
Instruction Fuzzy Hash: DEE0CD766011245BC72092599C05FEA77EDDFC8790F044071FD09D7248D968AD808650

Function 00FB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB3908

Part of subcall function 00FBD730: GetInputState.USER32 ref: 00FBD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FB2B6B

Part of subcall function 00FB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FB314E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5de3232277e46e6c74508d2ca2732f10fa512fbd53f74e5c7c77b0c69aeac574
Instruction ID: d32cf88fef08981a17ddede301699b7559cb8a7e1d88786637acd3e812c59d70
Opcode Fuzzy Hash: 5de3232277e46e6c74508d2ca2732f10fa512fbd53f74e5c7c77b0c69aeac574
Instruction Fuzzy Hash: 26E0263270820407CA04BA769C524EDB3599FD5351F40153EF1C243153CE3D86465B12

Function 01651310 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0165131B

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: a013d777a2ebede699bf5cd8857017153b20776125457094e29a7c56ebb03eaf
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: DBE08C31A09208EBDBA0DBA88C24BAD73A8D706320F504A55ED16C3782D6308A42D658

Function 016512E0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016512EB

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: b18e8f91ea7b43843fe518b9c8b8bc0b3b4c585eb89f03b6edd1c52967b9b55c
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 13D0A77090520CEBCB50CFB89C04ADE77A8E705361F008754FD15C3281D63199409750

Function 00FF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FF0704,?,?,00000000,?,00FF0704,00000000,0000000C), ref: 00FF03B7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e5a7739800f3358c31eab8966c3c27af218d3e20f3266ec135ed848f63bf5c0f
Instruction ID: be86c52b115530e6335bf60115650b5bac3866bc8edfe67ccb29003750b09e4d
Opcode Fuzzy Hash: e5a7739800f3358c31eab8966c3c27af218d3e20f3266ec135ed848f63bf5c0f
Instruction Fuzzy Hash: CDD06C3204010DBBDF128E84DE46EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00FB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FB1CBC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 793c338a1396127c276ee940f99be6d58a528001c9b7890417b9dda3d2bd9aa3
Instruction ID: e3aa617f0a668cb88f703380e477c1dc95acb5cd09c013c59e36674bb0f8bdf7
Opcode Fuzzy Hash: 793c338a1396127c276ee940f99be6d58a528001c9b7890417b9dda3d2bd9aa3
Instruction Fuzzy Hash: 3AC04C352842049FF2244680B94AF587755A748B00F048001F6C9555C782B71450D750

Function 0102744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00FB5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FB949C,?,00008000), ref: 00FB5773

GetLastError.KERNEL32(00000002,00000000), ref: 010276DE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: a8f81abc14f1f01eb38c38b5a3db12a83d7aa5bb1ca0f35dc1ef9ef28845e767
Instruction ID: 02a22e25750ba6762c3be4904441fa318f474ad262f77de7ff86f5f3d2cdd3cd
Opcode Fuzzy Hash: a8f81abc14f1f01eb38c38b5a3db12a83d7aa5bb1ca0f35dc1ef9ef28845e767
Instruction Fuzzy Hash: 1B81AF302043118FDB25EF29C891BAAB7E1BF98310F08455DF9865B292DB78E945DF92

Function 01652CFC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01652D11

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d466037665eb1281bb6fd68db5a63019ff73134a7574021480567de775edeeab
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 00E0BF7594010DEFDB00EFB4D9496DE7BB4EF04301F1006A5FD05D7681DB309E548A62

Function 00FB6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00FF24E0), ref: 00FB6266

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 52fd0cbd88fcebc596511dbbc47ec308e11a77b15345d1a35ef4efd006131e74
Instruction ID: a0bbada061c3d9dad58385cbf26bcdbd80f5e16c6ae84905b5a4fd3458e5cb8a
Opcode Fuzzy Hash: 52fd0cbd88fcebc596511dbbc47ec308e11a77b15345d1a35ef4efd006131e74
Instruction Fuzzy Hash: 54E09275900B01DFE7354F1AE904452FBE5FEE13613204A2ED4E592660D3B458869F50

Function 01652D00 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01652D11

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6e82a0a00dc5c57d538810dbf83933ea47170717ce902f40ebeed26229d2eacf
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 94E0E67594010DDFDB00EFB4D94969E7FB4EF04301F100265FD01D2281D6309D508A62

Non-executed Functions

Function 01049576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0104961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0104969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010496C9
SendMessageW.USER32 ref: 010496F2
GetKeyState.USER32(00000011), ref: 0104978B
GetKeyState.USER32(00000009), ref: 01049798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010497AE
GetKeyState.USER32(00000010), ref: 010497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010497E9
SendMessageW.USER32 ref: 01049810
SendMessageW.USER32(?,00001030,?,01047E95), ref: 01049918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0104992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01049941
SetCapture.USER32(?), ref: 0104994A
ClientToScreen.USER32(?,?), ref: 010499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010499D6
ReleaseCapture.USER32 ref: 010499E1
GetCursorPos.USER32(?), ref: 01049A19
ScreenToClient.USER32(?,?), ref: 01049A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01049A80
SendMessageW.USER32 ref: 01049AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01049AEB
SendMessageW.USER32 ref: 01049B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01049B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01049B4A
GetCursorPos.USER32(?), ref: 01049B68
ScreenToClient.USER32(?,?), ref: 01049B75
GetParent.USER32(?), ref: 01049B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01049BFA
SendMessageW.USER32 ref: 01049C2B
ClientToScreen.USER32(?,?), ref: 01049C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01049CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01049CDE
SendMessageW.USER32 ref: 01049D01
ClientToScreen.USER32(?,?), ref: 01049D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01049D82

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

GetWindowLongW.USER32(?,000000F0), ref: 01049E05

Strings

F, xrefs: 01049D07
@GUI_DRAGID, xrefs: 0104997D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b5dbbcdb95600449c970d8211b09fdfb1c28bb95a459cf2c0e972c9abd653109
Instruction ID: 52462a60ca60c2129865e3eb71b27db0d11e55dc59113314d1df29dd816dd05c
Opcode Fuzzy Hash: b5dbbcdb95600449c970d8211b09fdfb1c28bb95a459cf2c0e972c9abd653109
Instruction Fuzzy Hash: F0428BB4208201AFE725CF28C985EABBBE5FF4C318F004669F6D9872A1D735A851CF51

Function 01044873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01044908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01044927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0104494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0104495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0104497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01044A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01044A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01044A7E
IsMenu.USER32(?), ref: 01044A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01044AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01044B20
GetWindowLongW.USER32(?,000000F0), ref: 01044B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01044BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01044C82
wsprintfW.USER32 ref: 01044CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01044CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01044CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01044D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01044D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01044D5A

Strings

%d/%02d/%02d, xrefs: 01044CA8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ce0f801dc1b157ab4208a166e568756ca3301366762cd79055ac425000a7fabf
Instruction ID: 389448c5fe15bfeea23462ebce3e58827f5089a862b873f5b7526c5786c16c0e
Opcode Fuzzy Hash: ce0f801dc1b157ab4208a166e568756ca3301366762cd79055ac425000a7fabf
Instruction Fuzzy Hash: 4812F2B1600214ABFB259F28CD89FAE7BF8EF45310F044169F996DB2D1DB789941CB50

Function 00FCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FCF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100F474
IsIconic.USER32(00000000), ref: 0100F47D
ShowWindow.USER32(00000000,00000009), ref: 0100F48A
SetForegroundWindow.USER32(00000000), ref: 0100F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100F4AA
GetCurrentThreadId.KERNEL32 ref: 0100F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0100F4DE
SetForegroundWindow.USER32(00000000), ref: 0100F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F4F6
keybd_event.USER32(00000012,00000000), ref: 0100F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F50B
keybd_event.USER32(00000012,00000000), ref: 0100F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F519
keybd_event.USER32(00000012,00000000), ref: 0100F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100F528
keybd_event.USER32(00000012,00000000), ref: 0100F52D
SetForegroundWindow.USER32(00000000), ref: 0100F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0100F557

Strings

Shell_TrayWnd, xrefs: 0100F46F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bfea92310dff228cfbca8442b924b244774dd4c1e50b94e43c89620948200999
Instruction ID: 400e3ff5b6c68aab3f786f50adaded5487d2308a038c80fb5d30bec5104101ae
Opcode Fuzzy Hash: bfea92310dff228cfbca8442b924b244774dd4c1e50b94e43c89620948200999
Instruction Fuzzy Hash: 343194B5A41218BBFB316BB54E8AFBF7E6CEB44B50F100055FB40E61C1C7B65940ABA0

Function 01011201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
Part of subcall function 010116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
Part of subcall function 010116C3: GetLastError.KERNEL32 ref: 0101174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01011286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010112A8
CloseHandle.KERNEL32(?), ref: 010112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010112D1
GetProcessWindowStation.USER32 ref: 010112EA
SetProcessWindowStation.USER32(00000000), ref: 010112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01011310

Part of subcall function 010110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010111FC), ref: 010110D4
Part of subcall function 010110BF: CloseHandle.KERNEL32(?,?,010111FC), ref: 010110E9

Strings

winsta0, xrefs: 010112CC
default, xrefs: 0101130B
, xrefs: 0101125A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: cbe4f1ad1ca22fb38deef184421daa145d2ef8171e00309be41af0d2fb2c8045
Instruction ID: 9be07ae51160f52ffe56f472c6f2b3a6c7347c44f31f897d78a40952f25d318a
Opcode Fuzzy Hash: cbe4f1ad1ca22fb38deef184421daa145d2ef8171e00309be41af0d2fb2c8045
Instruction Fuzzy Hash: 4781B1B1900209AFEF259FA8DD49FEE7FB9EF08700F044069FB90A6154CB399944CB61

Function 01010B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
Part of subcall function 010110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
Part of subcall function 010110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
Part of subcall function 010110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01010BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01010C00
GetLengthSid.ADVAPI32(?), ref: 01010C17
GetAce.ADVAPI32(?,00000000,?), ref: 01010C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01010C6D
GetLengthSid.ADVAPI32(?), ref: 01010C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01010C8C
HeapAlloc.KERNEL32(00000000), ref: 01010C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01010CB4
CopySid.ADVAPI32(00000000), ref: 01010CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01010CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01010D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01010D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D45
HeapFree.KERNEL32(00000000), ref: 01010D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D55
HeapFree.KERNEL32(00000000), ref: 01010D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010D65
HeapFree.KERNEL32(00000000), ref: 01010D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01010D78
HeapFree.KERNEL32(00000000), ref: 01010D7F

Part of subcall function 01011193: GetProcessHeap.KERNEL32(00000008,01010BB1,?,00000000,?,01010BB1,?), ref: 010111A1
Part of subcall function 01011193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01010BB1,?), ref: 010111A8
Part of subcall function 01011193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01010BB1,?), ref: 010111B7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f47b0c6f280f7378acd8333d6dc857d3796eadc9d85797ca065db7080dd0acb7
Instruction ID: b672d2b158bc3b2308c7eb4b17303fe093551d7a7a39254fb6fe9d151e69f773
Opcode Fuzzy Hash: f47b0c6f280f7378acd8333d6dc857d3796eadc9d85797ca065db7080dd0acb7
Instruction Fuzzy Hash: D1718EB590120AABEF20DFA4DD84BEEBBB8BF05300F044155FA94A6188D779A945CB60

Function 0102EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0104CC08), ref: 0102EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0102EB37
GetClipboardData.USER32(0000000D), ref: 0102EB43
CloseClipboard.USER32 ref: 0102EB4F
GlobalLock.KERNEL32(00000000), ref: 0102EB87
CloseClipboard.USER32 ref: 0102EB91
GlobalUnlock.KERNEL32(00000000), ref: 0102EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0102EBC9
GetClipboardData.USER32(00000001), ref: 0102EBD1
GlobalLock.KERNEL32(00000000), ref: 0102EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0102EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0102EC38
GetClipboardData.USER32(0000000F), ref: 0102EC44
GlobalLock.KERNEL32(00000000), ref: 0102EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0102EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0102EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0102ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0102ECF3
CountClipboardFormats.USER32 ref: 0102ED14
CloseClipboard.USER32 ref: 0102ED59

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7cbf5d20d7217e42b3df862a640e67f4e1a78592563b632d17143f3c9db9f899
Instruction ID: 2983c88d30530794d0a664058de0386636881da3c433a122ed157a82a428fbc9
Opcode Fuzzy Hash: 7cbf5d20d7217e42b3df862a640e67f4e1a78592563b632d17143f3c9db9f899
Instruction Fuzzy Hash: 3961F3782443019FE311EF28CA84F6A7BE4EF84714F18455DF5D687292CB76E905CB62

Function 0102698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010269BE
FindClose.KERNEL32(00000000), ref: 01026A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01026A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01026A75

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01026AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01026ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 01026B32
%02d, xrefs: 01026C00, 01026C0A, 01026C5A, 01026CAA, 01026CFA, 01026D4A
%4d, xrefs: 01026BB1
%4d%02d%02d%02d%02d%02d, xrefs: 01026B6A
%03d, xrefs: 01026DA2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cb7e09056166d069f07f547b58569ae07f041c2e958cb39b852030fbbc6fe8e7
Instruction ID: da18783933ad18cacfcaf783b2b986d5206bca76be8508481c3595e20b63bf2e
Opcode Fuzzy Hash: cb7e09056166d069f07f547b58569ae07f041c2e958cb39b852030fbbc6fe8e7
Instruction Fuzzy Hash: 07D162B1508300AFC710EBA5CD92EABB7ECAF88704F44491DF989C7151EB79DA44DB62

Function 01029642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 01029663
GetFileAttributesW.KERNEL32(?), ref: 010296A1
SetFileAttributesW.KERNEL32(?,?), ref: 010296BB
FindNextFileW.KERNEL32(00000000,?), ref: 010296D3
FindClose.KERNEL32(00000000), ref: 010296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0102974A
SetCurrentDirectoryW.KERNEL32(01076B7C), ref: 01029768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01029772
FindClose.KERNEL32(00000000), ref: 0102977F
FindClose.KERNEL32(00000000), ref: 0102978F

Strings

*.*, xrefs: 010296F5

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 61701949f08a40e52e0d223639dcb40aad0a0921929d2ce2d39f237b522d2537
Instruction ID: f6e79525d3946f0a811b4043733744778127a5ec2b6cd476c57f454013593269
Opcode Fuzzy Hash: 61701949f08a40e52e0d223639dcb40aad0a0921929d2ce2d39f237b522d2537
Instruction Fuzzy Hash: 643128715016396BFB20AEB9DE4CADE37ECAF09225F00409AF585E2080D735C984CB14

Function 0102979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 010297BE
FindNextFileW.KERNEL32(00000000,?), ref: 01029819
FindClose.KERNEL32(00000000), ref: 01029824
FindFirstFileW.KERNEL32(*.*,?), ref: 01029840
SetCurrentDirectoryW.KERNEL32(?), ref: 01029890
SetCurrentDirectoryW.KERNEL32(01076B7C), ref: 010298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010298B8
FindClose.KERNEL32(00000000), ref: 010298C5
FindClose.KERNEL32(00000000), ref: 010298D5

Part of subcall function 0101DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0101DB00

Strings

*.*, xrefs: 0102983B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: facaafa5869e58cd475a16abcaed1489dac33a9088f3119a86e3e9b9897301fd
Instruction ID: 16f4d1888ad2b8a8f7bcaef28b51fc57bea7c1405021467de1b5e1326830c761
Opcode Fuzzy Hash: facaafa5869e58cd475a16abcaed1489dac33a9088f3119a86e3e9b9897301fd
Instruction Fuzzy Hash: ED312C31501639AFFF24EFB9DD489DE37BCAF05224F18409AE5C4A2190D775D944CB24

Function 01028195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01028257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01028267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01028273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01028310
SetCurrentDirectoryW.KERNEL32(?), ref: 01028324
SetCurrentDirectoryW.KERNEL32(?), ref: 01028356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0102838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01028395

Strings

*.*, xrefs: 0102839B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f1c0ab3f7cbec30c31d1ec0cf4467f8eda3907df8a6dcd1fb8abeb582a131b17
Instruction ID: e4eb3b45567e0e7479ce3fe904b5145174d796d567b715f05283f5a83e08698e
Opcode Fuzzy Hash: f1c0ab3f7cbec30c31d1ec0cf4467f8eda3907df8a6dcd1fb8abeb582a131b17
Instruction Fuzzy Hash: 6D617BB65083159FD710EF64C8849AEB3E8FF89310F04895EF98987251EB39E945CF92

Function 0101D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

FindFirstFileW.KERNEL32(?,?), ref: 0101D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0101D1DD
MoveFileW.KERNEL32(?,?), ref: 0101D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0101D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101D237

Part of subcall function 0101D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0101D21C,?,?), ref: 0101D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0101D253
FindClose.KERNEL32(00000000), ref: 0101D264

Strings

\*.*, xrefs: 0101D0CD, 0101D0D6, 0101D0EB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 8e24412ce0a2f5d84b173880d0b17d5142361e01aeec7af3dbe0965799388ae8
Instruction ID: b709127d25255e65580f4e451d8a45eae9aeca14505fd7950514486d2768a65e
Opcode Fuzzy Hash: 8e24412ce0a2f5d84b173880d0b17d5142361e01aeec7af3dbe0965799388ae8
Instruction Fuzzy Hash: 5C61BC3180510DABDF05EBE5CE969EDBBB5AF21300F6440A5E48273195EB39AF09DF60

Function 0102ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0102ED91
EmptyClipboard.USER32 ref: 0102ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0102EDAC
CloseClipboard.USER32 ref: 0102EEA3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 170e9ce573434552f090110c0607145c518a600fa1799902c794a4a36d2c2b0b
Instruction ID: ce5bb36b5124c816e440c5e406bcbb5f1c93ec6c5e3dd1b7b1706bccbec7ae8e
Opcode Fuzzy Hash: 170e9ce573434552f090110c0607145c518a600fa1799902c794a4a36d2c2b0b
Instruction Fuzzy Hash: C141B1752056219FE720DF19D588B19BBE5FF44318F04C099E49A8B762C77AFC41CB90

Function 0101E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
Part of subcall function 010116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
Part of subcall function 010116C3: GetLastError.KERNEL32 ref: 0101174A

ExitWindowsEx.USER32(?,00000000), ref: 0101E932

Strings

, xrefs: 0101E95C
, xrefs: 0101E920
@, xrefs: 0101E925
SeShutdownPrivilege, xrefs: 0101E902

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 082a78e72ede3c779087bf741de895e0704d24cc2117d50e89bdf8e358dbec02
Instruction ID: 8d7965e5fab195ea5c8befd5c48e50b912f173b2dc4d811c172e58e3a0e0dcfe
Opcode Fuzzy Hash: 082a78e72ede3c779087bf741de895e0704d24cc2117d50e89bdf8e358dbec02
Instruction Fuzzy Hash: 80014972A10311ABFB6622B8DD85FFF729DAB18740F040822FDC3E20C5D5AE5C4082A4

Function 01031204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 01031276
WSAGetLastError.WSOCK32 ref: 01031283
bind.WSOCK32(00000000,?,00000010), ref: 010312BA
WSAGetLastError.WSOCK32 ref: 010312C5
closesocket.WSOCK32(00000000), ref: 010312F4
listen.WSOCK32(00000000,00000005), ref: 01031303
WSAGetLastError.WSOCK32 ref: 0103130D
closesocket.WSOCK32(00000000), ref: 0103133C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 27eb58b121116f5bcf0cdb7cdc06c5a6a1bf6644f6b5e0a9ac528cdaba4efdb0
Instruction ID: 57681a1459f29723688fd94c92e32a3af677d52dc03ece6867e1f1d76badd4a0
Opcode Fuzzy Hash: 27eb58b121116f5bcf0cdb7cdc06c5a6a1bf6644f6b5e0a9ac528cdaba4efdb0
Instruction Fuzzy Hash: B94174756001009FE720DF68C584B69BBE9AF8A314F1881D8D9969F296C775EC81CBE1

Function 0101D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

FindFirstFileW.KERNEL32(?,?), ref: 0101D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0101D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101D481
FindClose.KERNEL32(00000000), ref: 0101D498
FindClose.KERNEL32(00000000), ref: 0101D4A1

Strings

\*.*, xrefs: 0101D3F2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 197dddd29e7a60e36e5f0430b5ed17c4875173953ea73d5e36a712df7620f7d4
Instruction ID: 14245ac66da7f797f750bd2509420cd7a553ce117dd0b7a06f7514006e16265b
Opcode Fuzzy Hash: 197dddd29e7a60e36e5f0430b5ed17c4875173953ea73d5e36a712df7620f7d4
Instruction Fuzzy Hash: D631CE71048341ABC301EFA5CD958EFB7E8BE91200F844A1DF4D583191EF28EA09DB63

Function 00FEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FEE645

Strings

1#SNAN, xrefs: 00FEF844
1#IND, xrefs: 00FEF83D
1#INF, xrefs: 00FEF852
1#QNAN, xrefs: 00FEF84B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fb2fba032dcd31ed223f15a0b151ce5829953f7eb94ff37bcfede494ad11d160
Instruction ID: 0c572fc91ca07f5a8f9a6e7029b674f6ba382b50af06c05b4823156c002fa39e
Opcode Fuzzy Hash: fb2fba032dcd31ed223f15a0b151ce5829953f7eb94ff37bcfede494ad11d160
Instruction Fuzzy Hash: 86C26D72E046688FDB25CF29DD407EAB7B5EB88314F1441EAD44DE7240E778AE859F40

Function 0102648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010264DC
CoInitialize.OLE32(00000000), ref: 01026639
CoCreateInstance.OLE32(0104FCF8,00000000,00000001,0104FB68,?), ref: 01026650
CoUninitialize.OLE32 ref: 010268D4

Strings

.lnk, xrefs: 010264BA, 01026524, 010265E0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: eb29866bcc9a8fc35cd24ecb4486e9e6c6e36ffd44cc0d329e0bf4b90b406d3a
Instruction ID: 2bad5379ee06c184e10ff9ef8fd3686820bfe3d40367ede82c37e577ecd184ad
Opcode Fuzzy Hash: eb29866bcc9a8fc35cd24ecb4486e9e6c6e36ffd44cc0d329e0bf4b90b406d3a
Instruction Fuzzy Hash: 15D16A71508311AFD314EF25C881EABBBE8FF98304F10496DF5958B291EB75E905CBA2

Function 01029B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01029B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01029C8B

Part of subcall function 01023874: GetInputState.USER32 ref: 010238CB
Part of subcall function 01023874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01023966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01029BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01029C75

Strings

*.*, xrefs: 01029B5D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3319fc83f9dc685b54c5b9347569f5c07a6d8e471e12a43d9df665673f12de06
Instruction ID: 2e0369adc3cd862838fcfbba907f2a928e8eba06d2ecb68b97ce7eefe433a004
Opcode Fuzzy Hash: 3319fc83f9dc685b54c5b9347569f5c07a6d8e471e12a43d9df665673f12de06
Instruction Fuzzy Hash: A241D27190022EAFEF51DF64C985AEE7BF8FF05304F24409AE945A3191EB309A84CF60

Function 00FC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC9A4E
GetSysColor.USER32(0000000F), ref: 00FC9B23
SetBkColor.GDI32(?,00000000), ref: 00FC9B36

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9e855eff11f10b20e127b6ecfc0c963a333850f41ddba7926ea039accc6403f5
Instruction ID: 0cfb2d5f68cc08db747fd0a5292e42f8b513c8d5c661b6a3bff64fba80273d71
Opcode Fuzzy Hash: 9e855eff11f10b20e127b6ecfc0c963a333850f41ddba7926ea039accc6403f5
Instruction Fuzzy Hash: 4CA107B150C046BEF7299A2C8E8EFBF399DEB46350F14015DF1C2965C5CAAD9D01E271

Function 01031806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103304E: inet_addr.WSOCK32(?), ref: 0103307A
Part of subcall function 0103304E: _wcslen.LIBCMT ref: 0103309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0103185D
WSAGetLastError.WSOCK32 ref: 01031884
bind.WSOCK32(00000000,?,00000010), ref: 010318DB
WSAGetLastError.WSOCK32 ref: 010318E6
closesocket.WSOCK32(00000000), ref: 01031915

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 35c5c0fb6b9b2b90555d0a2b5382b6d52aa15aea56f89d1f22e7a7a42f251ca8
Instruction ID: f054d06d3f756f28639abf46a1af8cda090f1646102056bd7710bc1b5656295b
Opcode Fuzzy Hash: 35c5c0fb6b9b2b90555d0a2b5382b6d52aa15aea56f89d1f22e7a7a42f251ca8
Instruction Fuzzy Hash: 46519875A002109FE710EF24C986F6A77E59B88718F08849CF9455F3C7C779AD418BE1

Function 0102CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0102C21E,00000000), ref: 0102CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0102CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0102C21E,00000000), ref: 0102CFF2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dd19e64a43093ec2b1d6efe51dd133fbcb1b969676ea31a6f61e22a5741e1969
Instruction ID: 528852196e3a52e0fe373598d6067e7251f1d6426e0185d71739df9c492270ec
Opcode Fuzzy Hash: dd19e64a43093ec2b1d6efe51dd133fbcb1b969676ea31a6f61e22a5741e1969
Instruction Fuzzy Hash: 43318EB1500615EFFBA0DFA9CA84EAFBBF8EF04350B10446EF596D2141DB34AA45DB60

Function 01041C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01041CC0
IsWindowEnabled.USER32 ref: 01041CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01041CDB
IsIconic.USER32 ref: 01041CE9
IsZoomed.USER32 ref: 01041CF7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 18b75485c7a56137b7b90ed25d2c72ab5927d67e7a5db5f12b6348ef3fb4b3ae
Instruction ID: 0c7f8554864299479850b9bf938ef867280de0b4adb41c56585d8f515e09e4a0
Opcode Fuzzy Hash: 18b75485c7a56137b7b90ed25d2c72ab5927d67e7a5db5f12b6348ef3fb4b3ae
Instruction Fuzzy Hash: E321D6B17012055FE7209F1AD9C4B6A7BE5EF89315F1880B8E8C98B341C776F882CB94

Function 00FB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FF5DF0
VUUU, xrefs: 00FB83E8
VUUU, xrefs: 00FB83FA
ERCP, xrefs: 00FB813C
VUUU, xrefs: 00FB843C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d270e174050309dc2360b6d72472cfd92d785ffcbe21d7b453c724c2363f4cbe
Instruction ID: 299b0f01062941b78e92fea72956a549a9f060c9ec9ff328a09c7ac26a27de93
Opcode Fuzzy Hash: d270e174050309dc2360b6d72472cfd92d785ffcbe21d7b453c724c2363f4cbe
Instruction Fuzzy Hash: A8A27B71E0021ACBDF24CF59C8407FDB7B5AF94764F2481AADA15A7294DB309D82EF90

Function 0103A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0103A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0103A6BA

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0103A79C
CloseHandle.KERNEL32(00000000), ref: 0103A7AB

Part of subcall function 00FCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FF3303,?), ref: 00FCCE8A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 8c7f1fee56d5f7a23b8c02917c7ce5b1240584e58dd218d85f412650bf37aac6
Instruction ID: 9591fdd5f8f13ee471d2af6c822303403547c6e0d7c174fd7e7d6bf6b83ab9ef
Opcode Fuzzy Hash: 8c7f1fee56d5f7a23b8c02917c7ce5b1240584e58dd218d85f412650bf37aac6
Instruction Fuzzy Hash: 2F5169B1508301AFD710EF25CD86AABBBE8FF89714F00891DF58597251EB39D904DB92

Function 0101AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0101ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0101AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0101AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0101ACC6

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2f30d33ffb5f2dcd955031d2cf66efbbd1f3fdb4063a9e962ac19c98474737ea
Instruction ID: 1287e0e7cdc60f8d93d43670a2d9a3fb39d2edfab8ab083887bcf755f3a50fc7
Opcode Fuzzy Hash: 2f30d33ffb5f2dcd955031d2cf66efbbd1f3fdb4063a9e962ac19c98474737ea
Instruction Fuzzy Hash: 1D311470B0129CEFFF358A6988147FE7AE5AB89320F04425AE4C5932D9D37D85858791

Function 00FEBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FEBB7F

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

GetTimeZoneInformation.KERNEL32 ref: 00FEBB91
WideCharToMultiByte.KERNEL32(00000000,?,0108121C,000000FF,?,0000003F,?,?), ref: 00FEBC09
WideCharToMultiByte.KERNEL32(00000000,?,01081270,000000FF,?,0000003F,?,?,?,0108121C,000000FF,?,0000003F,?,?), ref: 00FEBC36

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 71ca21a603c42bc940fd43b5eed74ab34d5847a3f785a8e994bf9bd509b7c5ee
Instruction ID: 3aa04fe6f5a930c4b223f9f19fd3a21f93bfa5d89213eaae68d4aff2dd6efe41
Opcode Fuzzy Hash: 71ca21a603c42bc940fd43b5eed74ab34d5847a3f785a8e994bf9bd509b7c5ee
Instruction Fuzzy Hash: FD31A5B1D08285DFCB21DF6ADC8156EBBB8FF45320714425AE0D0D72A5D7359D11EB50

Function 0101DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00FF5222), ref: 0101DBCE
GetFileAttributesW.KERNEL32(?), ref: 0101DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0101DBEE
FindClose.KERNEL32(00000000), ref: 0101DBFA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: df650e0f555a96af76f05aba5ffacf151418927b0df3577da346f669a1e525d8
Instruction ID: 4750fe9ef2a02a01df119dff16373beb5f5f390ab9f715962a9852cad36d92ac
Opcode Fuzzy Hash: df650e0f555a96af76f05aba5ffacf151418927b0df3577da346f669a1e525d8
Instruction Fuzzy Hash: 9FF0EC7441191597A3306BBC9F4D4AA37AC9F01334B104B42F5F5C10E4EBF9595487D5

Function 01018298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010182AA

Strings

|, xrefs: 010182DA
(, xrefs: 010182F0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3ed23932c38680eef5258e7a69739770fc5501c03a2eefc68e2555365d09c8d2
Instruction ID: 8867a19adc1518d5011fb31ad30748ee444769a254c286ee101210e22c423ba1
Opcode Fuzzy Hash: 3ed23932c38680eef5258e7a69739770fc5501c03a2eefc68e2555365d09c8d2
Instruction Fuzzy Hash: 6B323674A007059FDB28CF59C481A6AB7F0FF48310B15C5AEE99ADB3A5E774EA41CB40

Function 01025C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01025CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01025D17
FindClose.KERNEL32(?), ref: 01025D5F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4d9571c1485a124725619f303aaf34afde59890f51d49232b80a1b64d2656ba6
Instruction ID: cdd90ca96e01d2c00d38ca6e0499fe8a019ce1ea9896f9b2b481df7545bc4c6f
Opcode Fuzzy Hash: 4d9571c1485a124725619f303aaf34afde59890f51d49232b80a1b64d2656ba6
Instruction Fuzzy Hash: A551BB746046019FD324DF28C894E9AB7E4FF49314F14859EEA9A8B3A2CB34E905CF91

Function 00FE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FE2731

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff05fe2eee98c580520ca5c81a6a0c0f2b12e6da27534f7527f36860ec4b8832
Instruction ID: 1a4fc8bb68a32aa02cbc7686de97eabf21585f41107b70d6d36397afb3446d33
Opcode Fuzzy Hash: ff05fe2eee98c580520ca5c81a6a0c0f2b12e6da27534f7527f36860ec4b8832
Instruction Fuzzy Hash: 0331D57490121CABCB61DF64DD8879CB7B8AF08310F5041EAE40CA7260EB349F819F44

Function 010251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01025238
SetErrorMode.KERNEL32(00000000), ref: 010252A1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0afb903a804c613a31441ce3e2c42c3a1b962efd3d344149b9d4493aca5c2108
Instruction ID: 2a75db941b01b77ba401c4b69913703db0f4ab7728d99f79186b314c15157ff4
Opcode Fuzzy Hash: 0afb903a804c613a31441ce3e2c42c3a1b962efd3d344149b9d4493aca5c2108
Instruction Fuzzy Hash: 5B314B75A001189FDB00DF54D884EEDBBB4FF49314F188099E945AB396DB36E859CBA0

Function 010116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FD0668
Part of subcall function 00FCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101173A
GetLastError.KERNEL32 ref: 0101174A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1beafbe266f84083c66b72738c1949b74a1e8ce56a90d84393d4b1d873b46d2a
Instruction ID: 526310bb1d220b47d85e8ef2e27f37c50b88315f78f1109e87de01fd4f21ecaf
Opcode Fuzzy Hash: 1beafbe266f84083c66b72738c1949b74a1e8ce56a90d84393d4b1d873b46d2a
Instruction Fuzzy Hash: C311CEB2400305AFE7289F64EDC6E6ABBF9FB04714B20852EF59653245EB75BC418B20

Function 0101D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0101D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0101D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0101D650

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1aa9634148c7c479825d483d9c85ba6f73a0733b66ab23008dc67b78f3011171
Instruction ID: 25adda8ae497e67ec2e4928290c3d9c53c4b70ec750698f318fa4540bb530ae2
Opcode Fuzzy Hash: 1aa9634148c7c479825d483d9c85ba6f73a0733b66ab23008dc67b78f3011171
Instruction Fuzzy Hash: 0D11A5B5E01228BFEB208F98DD48FAFBFBCEB49B50F104151F904E7284C2745A018BA1

Function 01011663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0101168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010116A1
FreeSid.ADVAPI32(?), ref: 010116B1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 649478a36e4aaf523900ecf54748ffd342b82e48950f9940c035adf34c883927
Instruction ID: b0faec7228f12f0484c3ec79d49745ca66106dca07cbc4d0d1802485f5e4d5c4
Opcode Fuzzy Hash: 649478a36e4aaf523900ecf54748ffd342b82e48950f9940c035adf34c883927
Instruction Fuzzy Hash: C8F06D7594130CBBEF00CFE4CA89EAEBBBCFB08200F004860F500E2180D335AA048B50

Function 00FD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000,?,00FE28E9), ref: 00FD4D09
TerminateProcess.KERNEL32(00000000,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000,?,00FE28E9), ref: 00FD4D10
ExitProcess.KERNEL32 ref: 00FD4D22

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f691986d55b6cec82ea160ccf03058a3f0f835667d2d1bd8010292e9d01e3f6d
Instruction ID: 3d989a3454ff7be35789f0a0da5303f7ee374aa34a756082bf43ad076c5dd96c
Opcode Fuzzy Hash: f691986d55b6cec82ea160ccf03058a3f0f835667d2d1bd8010292e9d01e3f6d
Instruction Fuzzy Hash: 99E0BF75401148ABDF216F54DF49A583B6BEB41752B184015FC458B226CB3AEE41DF40

Function 0100D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0100D28C

Strings

X64, xrefs: 0100D2A8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7731a3ba950923721242b8eb4d7f405427b360f9639760b31bc6fcb86185c3d3
Instruction ID: f0dd8843a02c8b805f4e0db9ebd637f4b98bb49a1bacb47f41cbfb9c01a90267
Opcode Fuzzy Hash: 7731a3ba950923721242b8eb4d7f405427b360f9639760b31bc6fcb86185c3d3
Instruction Fuzzy Hash: A4D0C9B580211DEBDB90CA90D9C8EDDB37CBB14315F000155F146A2040D73495488F20

Function 00FDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0ec09bfbf72540a9a835a91fdbcc500dca4054007af314270c8d849a4306da2f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F1021E71E0011A9BDF14CFA9C9806ADFBF2FF48324F29426AD919E7384D731A941DB94

Function 010268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01026918
FindClose.KERNEL32(00000000), ref: 01026961

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 40a7716a254376e3936945a83ce23cc503ea04fe5927219d6bd2df71e65a0e8c
Instruction ID: 8ac45eb550a19c07d12bb6cb7a2ca200bbb13d6b0dccc26fc99f7487b9113a2e
Opcode Fuzzy Hash: 40a7716a254376e3936945a83ce23cc503ea04fe5927219d6bd2df71e65a0e8c
Instruction Fuzzy Hash: 4F11D3756042109FD710DF2AC484A56BBE4FF85328F04C699F9A98F2A2CB35EC05CB90

Function 010237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01034891,?,?,00000035,?), ref: 010237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01034891,?,?,00000035,?), ref: 010237F4

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5d484545c30f3696cb7447cd43ab857254fcbab952663134115d582b6dc969cc
Instruction ID: c4a1cf5b9420bf9a918e24786cd695d1065fddfbeb122f205aab211972864b81
Opcode Fuzzy Hash: 5d484545c30f3696cb7447cd43ab857254fcbab952663134115d582b6dc969cc
Instruction Fuzzy Hash: 47F0ECB46052296BEB3016664D4DFEB3A9DFFC4761F000165F509D2185D5645904C7B0

Function 0101B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0101B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0101B270

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: dae189ebb16458f75a4f2225401deae46132971060294723a1e3d19c5de79267
Instruction ID: 55a05f3a71d5ecbbf4bb9aa5805449efb8ca92322e46e6b44d37b649ea165e0e
Opcode Fuzzy Hash: dae189ebb16458f75a4f2225401deae46132971060294723a1e3d19c5de79267
Instruction Fuzzy Hash: 56F06D7480424DABEB158FA0C805BEE7FB0FF04305F008009F991A5195C37D82058F94

Function 010110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010111FC), ref: 010110D4
CloseHandle.KERNEL32(?,?,010111FC), ref: 010110E9

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e357af3544b82aa0f639df9dad2b968c381a4974d2bcdbcac423e963ea5e169d
Instruction ID: 01fa13f55269a1594a00b28faeed41018438937d756e13779c0d37ea07b08d75
Opcode Fuzzy Hash: e357af3544b82aa0f639df9dad2b968c381a4974d2bcdbcac423e963ea5e169d
Instruction Fuzzy Hash: 52E04F72005611AFF7352B21FE06F73BBE9EB04310B10882DF5A6804B5DB666C90EB10

Function 00FBCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01000C40

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f8dcf75590e1671371470a676a852bb9aa00eb52d566a03d83460b1c4f308d23
Instruction ID: 4e0cd668a339c98a4cf83ffebccfbb2c18efa8f522dc1b0f9279c97dde1748cd
Opcode Fuzzy Hash: f8dcf75590e1671371470a676a852bb9aa00eb52d566a03d83460b1c4f308d23
Instruction Fuzzy Hash: BE32BF74900208DBDF15DF95C881BFEBBB5BF04344F1080A9E846AB286CB75AD45EFA0

Function 00FE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FE6766,?,?,00000008,?,?,00FEFEFE,00000000), ref: 00FE6998

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1184fe288ff2e6785ed18563fe0dae6b52c7545844f449d0520eafadcd9d03ad
Instruction ID: eae6ccfec06b48326eb75b1f31153e7824eebca2cf1b2b88d8a77087b52af0ad
Opcode Fuzzy Hash: 1184fe288ff2e6785ed18563fe0dae6b52c7545844f449d0520eafadcd9d03ad
Instruction Fuzzy Hash: F0B17D32A10648CFD715CF29C48AB647BE0FF153A4F258658E8D9CF2A2C335EA81DB40

Function 00FCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0100851F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e71effcd8ba3a6a3f436c07dc32c8579ac99806d616c431d43f7a95ab4097c91
Instruction ID: 6bc4af39848ff12b81c46f21bd9cc5dede982e8ef4ee20e87b73372b62f28ae7
Opcode Fuzzy Hash: e71effcd8ba3a6a3f436c07dc32c8579ac99806d616c431d43f7a95ab4097c91
Instruction Fuzzy Hash: 27128E75D0022ADBDB15CF58C981BEEB7F5FF48310F1081AAE849EB295D7349A81DB90

Function 0102EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0102EABD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 31dc09bb97396c2d21b6a6881b4cd506713f229b9efd343011509277378b20ea
Instruction ID: 82979a56aefc2179cce6dde32deba2460c98714eda9790722853cbcbb960c44b
Opcode Fuzzy Hash: 31dc09bb97396c2d21b6a6881b4cd506713f229b9efd343011509277378b20ea
Instruction Fuzzy Hash: D3E04F352002149FD710EF5AD844E9AF7EDAF98764F00845AFC8AC7351DBB4F8408BA1

Function 0101E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0101E37E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 27eb5ba48e83bb9c2a83add63fac3213c06026b2115b4995709e6a21abf316e2
Instruction ID: 76cf4470b07f809d6ca9cc0efc76cdf218603079584217e542a97fe3fd53baa5
Opcode Fuzzy Hash: 27eb5ba48e83bb9c2a83add63fac3213c06026b2115b4995709e6a21abf316e2
Instruction Fuzzy Hash: 60D05BF69502013DF67F093CCA3FF7E3948E301540F40D789B9C18558DD58D95445011

Function 00FD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FD03EE), ref: 00FD09DA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e30b468dcd370fb597ce4eb0c9c979bb3df543af61a6ac2bee5615c2933c59bc
Instruction ID: 29bc029ac08ff65445c1443ec37554059e21f33ccab96ce3ad1c12cf16d18755
Opcode Fuzzy Hash: e30b468dcd370fb597ce4eb0c9c979bb3df543af61a6ac2bee5615c2933c59bc
Instruction Fuzzy Hash:

Function 00FD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FD798B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0bcec54859ad7e679b65416c172dfa5ec6e14ed46baba19462af35d8c1db25fc
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BB512572E0C7455ADB387568886A7BE73979B02360F2C050BD886DF382F619DE06F356

Function 00FE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58340813ae995f8a32acd47bbeb83919726482b623e3881532716577c3c5885
Instruction ID: 84d44c8f69f79af992799ea23862d20a89d282e4049f3d1d8703eb6541053119
Opcode Fuzzy Hash: d58340813ae995f8a32acd47bbeb83919726482b623e3881532716577c3c5885
Instruction Fuzzy Hash: 54325732D29F818DD733A535D8223366249AFB73D5F25C737F81AB5999EB2AC4835200

Function 00FCCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad410da5bd3bebb3234123215b208b11da836efd24136b42fd274ebdc860aaab
Instruction ID: c4fd43e1b6d05baba6e642a8de4521efb0ef5f332cb99a5371ba0aea5db6d792
Opcode Fuzzy Hash: ad410da5bd3bebb3234123215b208b11da836efd24136b42fd274ebdc860aaab
Instruction Fuzzy Hash: 7A32F731A001868BFF26CE2CC695BBD7BE1EB45314F1882EAD6C9DB2D1D6349D81E741

Function 00FB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5736ef248f9112dc44fba8357d7591b943ae6fc0bd4dac6922e8cc51be762374
Instruction ID: df34b0cdba744a7d7980f9d2c8b78e4afcc2f3e3c0daebb4dc7293aed475540e
Opcode Fuzzy Hash: 5736ef248f9112dc44fba8357d7591b943ae6fc0bd4dac6922e8cc51be762374
Instruction Fuzzy Hash: 7622C171E0460A9FDF14DF65C881BEEB3B6FF44710F148129E912AB2A1EB399914EF50

Function 00FB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd2b492542a524644d91441709be5ad66c0a7898d3bb4a9abf4ba5c16605b67
Instruction ID: 77d9a11414bd6c51d7a4c9e15a8aac8d9bbe17563f6b274e49b822eb791f04cd
Opcode Fuzzy Hash: 4fd2b492542a524644d91441709be5ad66c0a7898d3bb4a9abf4ba5c16605b67
Instruction Fuzzy Hash: 3002E6B1E0020AEBDB14DF54D881BADB7B5FF44300F108169E9069B3A0EB35AE14EF91

Function 00FE9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23fc04bdfdf04037809f78004f8876fb01129860b7ad7afff9a00b8affd420b
Instruction ID: dd070c1c981e252c5383d5eaf9418582bad1fd3ec475cee9c72a62292b6abacb
Opcode Fuzzy Hash: f23fc04bdfdf04037809f78004f8876fb01129860b7ad7afff9a00b8affd420b
Instruction Fuzzy Hash: 50B1DD30E2AF404DD72396398821337B65CBFBB6D5B91D71BFC6678E16EB2685834240

Function 00FD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: de327eba4b9be7bbf82fb6790c97d8beb057792f55ff090eed8c67f93381cb6f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: DA915873A080A359DB294639857417EFFE36A923B131E079FD4F2CB2C5EE149554F620

Function 00FD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5ade836d50f2ba1a2e2700176c81c1f7ff226f23d3ed3932f0be03e06c472548
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 6D9143736090A35ADB2D427A857407EFFE26A923B131E079FD4F2CA2C5FD249564F620

Function 00FD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a0e8338f4ae30d394ae593967e9a9e0a899335f3f4358955dadde2426327ec
Instruction ID: 0044475403c1d031b7f600f15e44cabb12c3c20a0073e958e124c2a47b8735d7
Opcode Fuzzy Hash: 27a0e8338f4ae30d394ae593967e9a9e0a899335f3f4358955dadde2426327ec
Instruction Fuzzy Hash: 18617932A0870956DA34BA288C96BBE3397DF81760F1C091BE843DF395F6199E43B355

Function 00FD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6881065cb1fca9e28be1ecf94750afcc7befb2ccbb9d147fc015b3291199af01
Instruction ID: 5d0f5e1b21c5b005b7c5d6aa0435673f2387f18bca79bd88d46a8749373196d3
Opcode Fuzzy Hash: 6881065cb1fca9e28be1ecf94750afcc7befb2ccbb9d147fc015b3291199af01
Instruction Fuzzy Hash: 71617932E0870956DA387A288C52BBF73979F42764F1C095BE843DF381FA16ED42B255

Function 00FD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b8c7e90210c7dae8e70810bc4190ebfa1ec5295057d372db13c03a4ad69e6ed5
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7A815673A090A319EB698279853443EFFE37A923B131E079FD4F2CA2D1ED248554F620

Function 01654050 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 7c3ca339bb25508246c8cf111472f64a2129676b85dd17a22220db769cc1b824
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A441D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01022046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008bf39707338cc9d983f86ebc8232bde26f408400f51856fa11cfb2ac2a7b53
Instruction ID: ece4be69f79a78f07b7dc9b32499637644add3f7ba539005fa8f4667404510ca
Opcode Fuzzy Hash: 008bf39707338cc9d983f86ebc8232bde26f408400f51856fa11cfb2ac2a7b53
Instruction Fuzzy Hash: 4421B7326206118BD728CEB9C86267E73E5A754314F25866EE4E7C77C5DE3AA904CB80

Function 01653EE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ffe6f95a166b11c953be94cf789bdafecab5d44d1cb8ae45bc61f968bb950b0d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 39019278A01109EFCB84DF98C9909AEF7B5FB48750F608599EC09A7341D730AE41DB80

Function 01653F40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 360a8f6fa39396c5eceb20c2f957200082b930a2ec036695b4da8080fc6960b6
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E3019279A01109EFCB84DF98C5909AEF7B5FB48750F208699ED09A7341D730AE41DB80

Function 016528D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856842677.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1650000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 01032ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01032B30
DeleteObject.GDI32(00000000), ref: 01032B43
DestroyWindow.USER32 ref: 01032B52
GetDesktopWindow.USER32 ref: 01032B6D
GetWindowRect.USER32(00000000), ref: 01032B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01032CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01032CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032CF8
GetClientRect.USER32(00000000,?), ref: 01032D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01032D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D80
GlobalLock.KERNEL32(00000000), ref: 01032D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032D98
GlobalUnlock.KERNEL32(00000000), ref: 01032DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032DA8
GlobalFree.KERNEL32(00000000), ref: 01032DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0104FC38,00000000), ref: 01032DDB
GlobalFree.KERNEL32(00000000), ref: 01032DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01032E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01032E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01032E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103303F

Strings

, xrefs: 01032FC5
static, xrefs: 01032D3A, 01032E91
DISPLAY, xrefs: 01032EA2
AutoIt v3, xrefs: 01032CF2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aefec44401f60c49a5288460d31846f3012a051cabca043dd429e7b944057986
Instruction ID: b5d479a259b64884447a2c3a9223abab54f08cd9c661ff2c3e86b238aedc940a
Opcode Fuzzy Hash: aefec44401f60c49a5288460d31846f3012a051cabca043dd429e7b944057986
Instruction Fuzzy Hash: C6027EB5500204AFEB24DFA5CE89EAE7BB9FF49310F048158F955AB294C779AD01CF60

Function 010470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0104712F
GetSysColorBrush.USER32(0000000F), ref: 01047160
GetSysColor.USER32(0000000F), ref: 0104716C
SetBkColor.GDI32(?,000000FF), ref: 01047186
SelectObject.GDI32(?,?), ref: 01047195
InflateRect.USER32(?,000000FF,000000FF), ref: 010471C0
GetSysColor.USER32(00000010), ref: 010471C8
CreateSolidBrush.GDI32(00000000), ref: 010471CF
FrameRect.USER32(?,?,00000000), ref: 010471DE
DeleteObject.GDI32(00000000), ref: 010471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01047230
FillRect.USER32(?,?,?), ref: 01047262
GetWindowLongW.USER32(?,000000F0), ref: 01047284

Part of subcall function 010473E8: GetSysColor.USER32(00000012), ref: 01047421
Part of subcall function 010473E8: SetTextColor.GDI32(?,?), ref: 01047425
Part of subcall function 010473E8: GetSysColorBrush.USER32(0000000F), ref: 0104743B
Part of subcall function 010473E8: GetSysColor.USER32(0000000F), ref: 01047446
Part of subcall function 010473E8: GetSysColor.USER32(00000011), ref: 01047463
Part of subcall function 010473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01047471
Part of subcall function 010473E8: SelectObject.GDI32(?,00000000), ref: 01047482
Part of subcall function 010473E8: SetBkColor.GDI32(?,00000000), ref: 0104748B
Part of subcall function 010473E8: SelectObject.GDI32(?,?), ref: 01047498
Part of subcall function 010473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010474B7
Part of subcall function 010473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010474CE
Part of subcall function 010473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010474DB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bf1d21be4c19d158fdaa24895357952cb52fe6778bd6947054cee95bff68b6f8
Instruction ID: b28da65a062b6ad63ea76a2bd0bd16e51b913d0469267597c7c5ca89f9f9c0d7
Opcode Fuzzy Hash: bf1d21be4c19d158fdaa24895357952cb52fe6778bd6947054cee95bff68b6f8
Instruction Fuzzy Hash: C8A1B2B6009301BFE7219F64DE88A5F7BE9FB49320F100A29FAE2961E0D735D444CB91

Function 00FC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01006AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01006AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01006F43

Part of subcall function 00FC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC8BE8,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8FC5

SendMessageW.USER32(?,00001053), ref: 01006F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01006F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01006FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01006FB7

Strings

0, xrefs: 01006DCF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ec40ef50dcfedb18bb22f091964a04790f381e869a3c59ccb634458a1349124a
Instruction ID: 9c4554b7386448957ba313087cdbe2912f7b412b1e4fe6a47d48d1ee0bacc641
Opcode Fuzzy Hash: ec40ef50dcfedb18bb22f091964a04790f381e869a3c59ccb634458a1349124a
Instruction Fuzzy Hash: B812B070505202EFE726DF18CA85BA97BE2FF45300F1444ADF5D58B292CB37A8A2DB51

Function 01032711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0103273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0103286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01032900
GetClientRect.USER32(00000000,?), ref: 0103290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01032955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01032964
GetStockObject.GDI32(00000011), ref: 01032974
SelectObject.GDI32(00000000,00000000), ref: 01032978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01032988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01032991
DeleteDC.GDI32(00000000), ref: 0103299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01032A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01032A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01032A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01032A77
GetStockObject.GDI32(00000011), ref: 01032A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01032A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01032A97

Strings

static, xrefs: 0103294F, 01032A71
DISPLAY, xrefs: 0103295A
msctls_progress32, xrefs: 01032A13
AutoIt v3, xrefs: 010328F8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 55ff01a913bd90a3b79bd37f92180ac6e379334c834f58ee56fa88d8cee36b74
Instruction ID: 48cd11d79c8aaad81508408f0ae8ca074b27f7e5b0ace4eff10c214d1cede332
Opcode Fuzzy Hash: 55ff01a913bd90a3b79bd37f92180ac6e379334c834f58ee56fa88d8cee36b74
Instruction Fuzzy Hash: 0DB18DB5A00205AFEB24DF68CD89FAE7BA9FF48710F008554FA55E7294D774E900CBA0

Function 01024ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01024AED
GetDriveTypeW.KERNEL32(?,0104CB68,?,\\.\,0104CC08), ref: 01024BCA
SetErrorMode.KERNEL32(00000000,0104CB68,?,\\.\,0104CC08), ref: 01024D36

Strings

ATAPI, xrefs: 01024C91
Unknown, xrefs: 01024BED, 01024C83
SCSI, xrefs: 01024C8A
SATA, xrefs: 01024CD0
SSD, xrefs: 01024C4A
RAMDisk, xrefs: 01024BF4
RAID, xrefs: 01024CBB
Fixed, xrefs: 01024C09
Removable, xrefs: 01024C10, 01024C15
MMC, xrefs: 01024CDE
SAS, xrefs: 01024CC9
Virtual, xrefs: 01024CE5
\\.\, xrefs: 01024B3F
PhysicalDrive, xrefs: 01024B76
CDROM, xrefs: 01024BFB
iSCSI, xrefs: 01024CC2
Network, xrefs: 01024C02
Fibre, xrefs: 01024CAD
FileBackedVirtual, xrefs: 01024CEC
USB, xrefs: 01024CB4
SSA, xrefs: 01024CA6
ATA, xrefs: 01024C98
1394, xrefs: 01024C9F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f09637301fcd414a38159530d871835dd89b3824b20b33e76ddb6d840b476095
Instruction ID: bad18a34a07917ca7e481d30c8cc9ce06b12fce817e9f859f33f80d67225d477
Opcode Fuzzy Hash: f09637301fcd414a38159530d871835dd89b3824b20b33e76ddb6d840b476095
Instruction Fuzzy Hash: 4A61C630A0451ADBDB55EF1DCA819BD7BE1AB04200B24405AF88BEB712DB76ED85CB45

Function 010473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01047421
SetTextColor.GDI32(?,?), ref: 01047425
GetSysColorBrush.USER32(0000000F), ref: 0104743B
GetSysColor.USER32(0000000F), ref: 01047446
CreateSolidBrush.GDI32(?), ref: 0104744B
GetSysColor.USER32(00000011), ref: 01047463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01047471
SelectObject.GDI32(?,00000000), ref: 01047482
SetBkColor.GDI32(?,00000000), ref: 0104748B
SelectObject.GDI32(?,?), ref: 01047498
InflateRect.USER32(?,000000FF,000000FF), ref: 010474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01047554
InflateRect.USER32(?,000000FD,000000FD), ref: 01047572
DrawFocusRect.USER32(?,?), ref: 0104757D
GetSysColor.USER32(00000011), ref: 0104758E
SetTextColor.GDI32(?,00000000), ref: 01047596
DrawTextW.USER32(?,010470F5,000000FF,?,00000000), ref: 010475A8
SelectObject.GDI32(?,?), ref: 010475BF
DeleteObject.GDI32(?), ref: 010475CA
SelectObject.GDI32(?,?), ref: 010475D0
DeleteObject.GDI32(?), ref: 010475D5
SetTextColor.GDI32(?,?), ref: 010475DB
SetBkColor.GDI32(?,?), ref: 010475E5

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 73f27ccba35bc62df61bf18a26ce34b4eae36e941c2279daa75e3be4bdbacc26
Instruction ID: 24a0412f4f5c1efd47d5acefa8e077d664d4e5ee7303c5405bffc6ba38c6d3c6
Opcode Fuzzy Hash: 73f27ccba35bc62df61bf18a26ce34b4eae36e941c2279daa75e3be4bdbacc26
Instruction Fuzzy Hash: 3661A1B6901218AFEF119FA4DD88EEE7FB9EB09320F104161FA51BB291D7759940CF90

Function 01040FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01041128
GetDesktopWindow.USER32 ref: 0104113D
GetWindowRect.USER32(00000000), ref: 01041144
GetWindowLongW.USER32(?,000000F0), ref: 01041199
DestroyWindow.USER32(?), ref: 010411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01041232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01041245
IsWindowVisible.USER32(00000000), ref: 010412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010412D0
GetWindowRect.USER32(00000000,?), ref: 010412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0104130E
GetMonitorInfoW.USER32(00000000,?), ref: 01041328
CopyRect.USER32(?,?), ref: 0104133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010413AA

Strings

0, xrefs: 010410D3
tooltips_class32, xrefs: 010411E6
(, xrefs: 0104131B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 145dbff08522e1cad3f708d7726876ff7b614dc3280b9784a4dd225dce911ee9
Instruction ID: 834e1bfb2a6a118db15e5c360d55781cba71caf9f48b24f3767011f7b7b376dc
Opcode Fuzzy Hash: 145dbff08522e1cad3f708d7726876ff7b614dc3280b9784a4dd225dce911ee9
Instruction Fuzzy Hash: FAB18DB1604341AFE754DF65C984BAABBE4FF88350F008968F9999B261C771E844CF92

Function 00FC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC8968
GetSystemMetrics.USER32(00000007), ref: 00FC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC899B
GetSystemMetrics.USER32(00000008), ref: 00FC89A3
GetSystemMetrics.USER32(00000004), ref: 00FC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FC8A5A
GetStockObject.GDI32(00000011), ref: 00FC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC8A81

Part of subcall function 00FC912D: GetCursorPos.USER32(?), ref: 00FC9141
Part of subcall function 00FC912D: ScreenToClient.USER32(00000000,?), ref: 00FC915E
Part of subcall function 00FC912D: GetAsyncKeyState.USER32(00000001), ref: 00FC9183
Part of subcall function 00FC912D: GetAsyncKeyState.USER32(00000002), ref: 00FC919D

SetTimer.USER32(00000000,00000000,00000028,00FC90FC), ref: 00FC8AA8

Strings

AutoIt v3 GUI, xrefs: 00FC8A20

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 43c88e36d4eb0bf15b18ea34de83490ec6d2e93eba2a1c33ea4fc6fafa813f9f
Instruction ID: 817778a743a0a5ce791869a222fc5affcb1ca780becdfff28d3a8dd1781feb07
Opcode Fuzzy Hash: 43c88e36d4eb0bf15b18ea34de83490ec6d2e93eba2a1c33ea4fc6fafa813f9f
Instruction Fuzzy Hash: 70B19375A0020AEFEB15DF68CA85FAE3BB5FB48310F004219FA95A72C4DB39D941CB50

Function 01010D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
Part of subcall function 010110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
Part of subcall function 010110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
Part of subcall function 010110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
Part of subcall function 010110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01010DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01010E29
GetLengthSid.ADVAPI32(?), ref: 01010E40
GetAce.ADVAPI32(?,00000000,?), ref: 01010E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01010E96
GetLengthSid.ADVAPI32(?), ref: 01010EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01010EB5
HeapAlloc.KERNEL32(00000000), ref: 01010EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01010EDD
CopySid.ADVAPI32(00000000), ref: 01010EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01010F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01010F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01010F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F6E
HeapFree.KERNEL32(00000000), ref: 01010F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F7E
HeapFree.KERNEL32(00000000), ref: 01010F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01010F8E
HeapFree.KERNEL32(00000000), ref: 01010F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01010FA1
HeapFree.KERNEL32(00000000), ref: 01010FA8

Part of subcall function 01011193: GetProcessHeap.KERNEL32(00000008,01010BB1,?,00000000,?,01010BB1,?), ref: 010111A1
Part of subcall function 01011193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01010BB1,?), ref: 010111A8
Part of subcall function 01011193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01010BB1,?), ref: 010111B7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3a61fb9ed5fc9545b4d5619290c839e68bb4d41a31fd28cd272c79e823f7c891
Instruction ID: 064c7c1203423fb2cc581cdf7d199a012fc6c49d5c8a69653a78f81ae9664576
Opcode Fuzzy Hash: 3a61fb9ed5fc9545b4d5619290c839e68bb4d41a31fd28cd272c79e823f7c891
Instruction Fuzzy Hash: 52718EB190120AABEB209FA5DD45FEEBBB8BF05300F044159FA99E7188D7399945CB60

Function 0103C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0104CC08,00000000,?,00000000,?,?), ref: 0103C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0103C5A4
_wcslen.LIBCMT ref: 0103C5F4
_wcslen.LIBCMT ref: 0103C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0103C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0103C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0103C84D
RegCloseKey.ADVAPI32(?), ref: 0103C881
RegCloseKey.ADVAPI32(00000000), ref: 0103C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0103C960

Strings

REG_QWORD, xrefs: 0103C8C3
REG_EXPAND_SZ, xrefs: 0103C5CD
REG_SZ, xrefs: 0103C644
REG_DWORD, xrefs: 0103C804
REG_MULTI_SZ, xrefs: 0103C6F5
REG_BINARY, xrefs: 0103C913

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c7c3b83c6ab971002bf56629d8734f2ccca8abd8deae108a2df7a920a19178fe
Instruction ID: 1d9f2ba5476e91c3473a98e3a5631da5325cb2826f06f1693db312dd1b0211fb
Opcode Fuzzy Hash: c7c3b83c6ab971002bf56629d8734f2ccca8abd8deae108a2df7a920a19178fe
Instruction Fuzzy Hash: B8129D352042019FE714DF15C981A6AB7E5FF88314F08889DF88A9B3A2DB35ED41DB91

Function 0104091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010409C6
_wcslen.LIBCMT ref: 01040A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01040A54
_wcslen.LIBCMT ref: 01040A8A
_wcslen.LIBCMT ref: 01040B06
_wcslen.LIBCMT ref: 01040B81

Part of subcall function 00FCF9F2: _wcslen.LIBCMT ref: 00FCF9FD

Part of subcall function 01012BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01012BFA

Strings

COLLAPSE, xrefs: 01040B01, 01040B1C
GETTOTALCOUNT, xrefs: 010409F2, 01040A17
GETSELECTED, xrefs: 01040C4E
GETTEXT, xrefs: 01040C97
EXPAND, xrefs: 01040BF8
UNCHECK, xrefs: 01040D3E
GETITEMCOUNT, xrefs: 01040C1E
ISCHECKED, xrefs: 01040CE1
SELECT, xrefs: 01040D11
CHECK, xrefs: 01040A85, 01040AA0
EXISTS, xrefs: 01040B7C, 01040B97

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1bc875cd8d9bcc4176d3afa9f212057acfdf09164f9c30a79db41f665bf25a38
Instruction ID: c2f18390bf77bf6a20c2500dc6508136719aa3580f18d336db57655ef950cc43
Opcode Fuzzy Hash: 1bc875cd8d9bcc4176d3afa9f212057acfdf09164f9c30a79db41f665bf25a38
Instruction Fuzzy Hash: 0AE1A0752083018FC714EF29C8909AEB7E1BF88354B0489ADF9D6AB366D735ED45CB81

Function 0103C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
_wcslen.LIBCMT ref: 0103C9F1
_wcslen.LIBCMT ref: 0103CA68
_wcslen.LIBCMT ref: 0103CA9E
_wcslen.LIBCMT ref: 0103CAF9
_wcslen.LIBCMT ref: 0103CB2F
_wcslen.LIBCMT ref: 0103CB7F

Strings

HKEY_USERS, xrefs: 0103CBDF
HKEY_LOCAL_MACHINE, xrefs: 0103CA62, 0103CA67
HKCC, xrefs: 0103CBAC
HKEY_CURRENT_USER, xrefs: 0103CBBD
HKCU, xrefs: 0103CBCE
HKCR, xrefs: 0103CB29, 0103CB2E
HKLM, xrefs: 0103CA98, 0103CA9D
HKEY_CLASSES_ROOT, xrefs: 0103CAF3, 0103CAF8
HKEY_CURRENT_CONFIG, xrefs: 0103CB79, 0103CB7E
HKU, xrefs: 0103CBF0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ccb0398b03bd8f699c12bd887018aed7a65a93f82bc45fbc57e1262dc5cca5c2
Instruction ID: abb7730dcf61cb7faf0b9e49bb08f61defc1c869a0e5702ac75ef0c1488f8a6d
Opcode Fuzzy Hash: ccb0398b03bd8f699c12bd887018aed7a65a93f82bc45fbc57e1262dc5cca5c2
Instruction Fuzzy Hash: 8E712632A0052A8BEB21DE3CCE515BE33D9AFD0694F15055AF8D2F7286E635CD46D3A0

Function 0104833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0104835A
_wcslen.LIBCMT ref: 0104836E
_wcslen.LIBCMT ref: 01048391
_wcslen.LIBCMT ref: 010483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0104361A,?), ref: 0104844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01048487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01048501
FreeLibrary.KERNEL32(?), ref: 0104850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0104851D
DestroyIcon.USER32(?), ref: 0104852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01048549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01048555

Strings

.icl, xrefs: 01048368
.dll, xrefs: 010483AB
.exe, xrefs: 01048388

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 944b5b08399b7ef7eee41967af3fe388b9fad84d5a25b8fbae69b18cd54975ef
Instruction ID: d056396e30106776f8a75604908a11c3c17537e9ec230d124a8605a5c87b3850
Opcode Fuzzy Hash: 944b5b08399b7ef7eee41967af3fe388b9fad84d5a25b8fbae69b18cd54975ef
Instruction Fuzzy Hash: 356126B1900204BFEB24CFA4CDC1BBE77A8BF04711F00895AF995D61C1DB79A980DBA0

Function 00FB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 00FB782F
Unterminated group of comments, xrefs: 00FF528C
#include, xrefs: 00FB7847
#OnAutoItStartRegister, xrefs: 00FB7817
#ce, xrefs: 00FB78ED
", xrefs: 00FF5153
#comments-start, xrefs: 00FB785F, 00FB78B1
#cs, xrefs: 00FB7873, 00FB78C5
Bad directive syntax error, xrefs: 00FF519A
#comments-end, xrefs: 00FB78D9
Cannot parse #include, xrefs: 00FF5279
#requireadmin, xrefs: 00FB77FF
', xrefs: 00FF5169
#notrayicon, xrefs: 00FB77E7
#pragma compile, xrefs: 00FB77D3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 544f9debe49cf7ccc96226fd8c08a3c02bd9c2e358cc5e98747841abd43960c2
Instruction ID: 923af481db5930e64d7bbd155a29cfb2040c028c8dc6cb51c28513675a97bf9f
Opcode Fuzzy Hash: 544f9debe49cf7ccc96226fd8c08a3c02bd9c2e358cc5e98747841abd43960c2
Instruction Fuzzy Hash: 228118B1A04709BBDB20BF62CC42FFE77A5AF55700F144025FA05AA192EB74D911FB91

Function 01015A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01015A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01015A40
SetWindowTextW.USER32(?,?), ref: 01015A57
GetDlgItem.USER32(?,000003EA), ref: 01015A6C
SetWindowTextW.USER32(00000000,?), ref: 01015A72
GetDlgItem.USER32(?,000003E9), ref: 01015A82
SetWindowTextW.USER32(00000000,?), ref: 01015A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01015AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01015AC3
GetWindowRect.USER32(?,?), ref: 01015ACC
_wcslen.LIBCMT ref: 01015B33
SetWindowTextW.USER32(?,?), ref: 01015B6F
GetDesktopWindow.USER32 ref: 01015B75
GetWindowRect.USER32(00000000), ref: 01015B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01015BD3
GetClientRect.USER32(?,?), ref: 01015BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01015C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01015C2F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 89d914ecc9f0c55888be6f3247fd1c93b10216dcdfcdcfe88d64eb8c89118adf
Instruction ID: 6e6f5d4c0a09f237421ad572a5fabe5dbe847e77acc62d5c98e4101fd6ad29e3
Opcode Fuzzy Hash: 89d914ecc9f0c55888be6f3247fd1c93b10216dcdfcdcfe88d64eb8c89118adf
Instruction Fuzzy Hash: 41717C71900709AFEB20DFA8CE85AAEBBF5FF88704F104958E582A7594D779E940CF50

Function 00FD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FD00C6

Part of subcall function 00FD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0108070C,00000FA0,539A5587,?,?,?,?,00FF23B3,000000FF), ref: 00FD011C
Part of subcall function 00FD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FF23B3,000000FF), ref: 00FD0127
Part of subcall function 00FD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FF23B3,000000FF), ref: 00FD0138
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FD014E
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FD015C
Part of subcall function 00FD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FD016A
Part of subcall function 00FD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FD0195
Part of subcall function 00FD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FD01A0

___scrt_fastfail.LIBCMT ref: 00FD00E7

Part of subcall function 00FD00A3: __onexit.LIBCMT ref: 00FD00A9

Strings

WakeAllConditionVariable, xrefs: 00FD0162
SleepConditionVariableCS, xrefs: 00FD0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FD0122
kernel32.dll, xrefs: 00FD0133
InitializeConditionVariable, xrefs: 00FD0148

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ca32bff215e006c03162dd4f2890d317b80392504f70edf3281629bf9ac310ac
Instruction ID: 4003dd124960342809d289a81138e6d6c6b073495ebfcf6bf00558d84cf42b96
Opcode Fuzzy Hash: ca32bff215e006c03162dd4f2890d317b80392504f70edf3281629bf9ac310ac
Instruction Fuzzy Hash: C1210AB2E457116BE7207B65AE46B6D7396EB05B61F04013FF8C196344DE798C009B90

Function 010130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101318D
_wcslen.LIBCMT ref: 010131F8

Strings

TEXT, xrefs: 0101347C
NAME, xrefs: 01013335, 01013346
CLASSNN, xrefs: 010131F3, 01013204
REGEXPCLASS, xrefs: 01013255, 01013266
CLASS, xrefs: 01013188, 010131A5
INSTANCE, xrefs: 01013453

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 8ab1d09c43c97edd7421e581d4366c7c542dffcc632b95282a69947fbfbe2146
Instruction ID: 88ac7a533297c9eeed562417c2a635ccba393f96ee726678ec8b67bc2f7b9c86
Opcode Fuzzy Hash: 8ab1d09c43c97edd7421e581d4366c7c542dffcc632b95282a69947fbfbe2146
Instruction Fuzzy Hash: 46E10332A001169BDB199FA8C841BFEFBB5BF04720F14815AE496EB244DF38A945DB90

Function 010244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0104CC08), ref: 01024527
_wcslen.LIBCMT ref: 0102453B
_wcslen.LIBCMT ref: 01024599
_wcslen.LIBCMT ref: 010245F4
_wcslen.LIBCMT ref: 0102463F
_wcslen.LIBCMT ref: 010246A7

Part of subcall function 00FCF9F2: _wcslen.LIBCMT ref: 00FCF9FD

GetDriveTypeW.KERNEL32(?,01076BF0,00000061), ref: 01024743

Strings

network, xrefs: 0102469D, 010246A2
removable, xrefs: 010245EA, 010245EF
cdrom, xrefs: 0102458F, 01024594
all, xrefs: 01024531, 01024536
fixed, xrefs: 01024635, 0102463A
ramdisk, xrefs: 010246F1
unknown, xrefs: 01024708

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5d06df456909e2789a30a75583f487f0bd82c832f8b30ea277faa80f92b82c51
Instruction ID: 13f53743fbf4dd83bea2062eb0792287fb5b29f3210a1d075aed1e93228d345f
Opcode Fuzzy Hash: 5d06df456909e2789a30a75583f487f0bd82c832f8b30ea277faa80f92b82c51
Instruction Fuzzy Hash: 07B1EE716083229BC720DF29C890A6EB7E5BF99720F40495DF5E6C7292D774D884CAA2

Function 0103AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103B1D4
_wcslen.LIBCMT ref: 0103B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103B236
_wcslen.LIBCMT ref: 0103B332

Part of subcall function 010205A7: GetStdHandle.KERNEL32(000000F6), ref: 010205C6

_wcslen.LIBCMT ref: 0103B34B
_wcslen.LIBCMT ref: 0103B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103B3B6
GetLastError.KERNEL32(00000000), ref: 0103B407
CloseHandle.KERNEL32(?), ref: 0103B439
CloseHandle.KERNEL32(00000000), ref: 0103B44A
CloseHandle.KERNEL32(00000000), ref: 0103B45C
CloseHandle.KERNEL32(00000000), ref: 0103B46E
CloseHandle.KERNEL32(?), ref: 0103B4E3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 14838aafab117b12a9a682ebe94a35d684a11ec200dbed1c625dae397e9c2cce
Instruction ID: e993674fb87aca36835344704f9b58eb36de894d020dfa1cad1d997067fe3e49
Opcode Fuzzy Hash: 14838aafab117b12a9a682ebe94a35d684a11ec200dbed1c625dae397e9c2cce
Instruction Fuzzy Hash: 04F1AE716083009FD724EF29C891B6EBBE9AFC5314F18855DF9958B2A6CB35E804CB52

Function 01033FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0104CC08), ref: 010340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0104CC08), ref: 010340F2
FreeLibrary.KERNEL32(00000000,?,0104CC08), ref: 0103413E
StringFromGUID2.OLE32(?,?,00000028,?,0104CC08), ref: 010341A8
SysFreeString.OLEAUT32(00000009), ref: 01034262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010342C8
SysFreeString.OLEAUT32(?), ref: 010342F2

Strings

kernel32.dll, xrefs: 010340B6
GetModuleHandleExW, xrefs: 010340C7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 6154e8b32c74ee0a0b582d07a7acc29316e581ab24443680b6e0c045cf4b47ee
Instruction ID: 688844532894215188668280788a6d498e812a36324b93722d47ca3f0d5672f6
Opcode Fuzzy Hash: 6154e8b32c74ee0a0b582d07a7acc29316e581ab24443680b6e0c045cf4b47ee
Instruction Fuzzy Hash: DF122775A00105AFDB55CF98C984EAEBBB9FF85314F148098E945EF252CB31ED46CBA0

Function 00FB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01081990), ref: 00FF2F8D
GetMenuItemCount.USER32(01081990), ref: 00FF303D
GetCursorPos.USER32(?), ref: 00FF3081
SetForegroundWindow.USER32(00000000), ref: 00FF308A
TrackPopupMenuEx.USER32(01081990,00000000,?,00000000,00000000,00000000), ref: 00FF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF30A9

Strings

0, xrefs: 00FB327D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8516ece18c2f20152dbba997ab758930598530243330083c72e5cc16900b365a
Instruction ID: c30af7410b77cd70149d509aabcfb45e43655643bc4695a8f54e0692742fde6a
Opcode Fuzzy Hash: 8516ece18c2f20152dbba997ab758930598530243330083c72e5cc16900b365a
Instruction Fuzzy Hash: D271F771A40209BFFB218F65CD89FAABF64FF04324F204216F6156A1E0C7B5A950EB91

Function 01046CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 01046DEB

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01046E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01046E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01046E94
DestroyWindow.USER32(?), ref: 01046EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FB0000,00000000), ref: 01046EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01046EFD
GetDesktopWindow.USER32 ref: 01046F16
GetWindowRect.USER32(00000000), ref: 01046F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01046F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01046F4D

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

Strings

tooltips_class32, xrefs: 01046E58, 01046EDD
0, xrefs: 01046D98

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: bbb0b50e1f632782455bcc8e91b9e1bb59b94634b6d4f0c489de79130f295bae
Instruction ID: dd479b368f5b0bdd0567b66aa81fc06395649c9fb3aa8a92a5268f62b5e15d70
Opcode Fuzzy Hash: bbb0b50e1f632782455bcc8e91b9e1bb59b94634b6d4f0c489de79130f295bae
Instruction Fuzzy Hash: 1D717BB4104340AFEB21CF1DC984EAABBF9FB8A300F44446DF9D987261D776A906CB11

Function 0104911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

DragQueryPoint.SHELL32(?,?), ref: 01049147

Part of subcall function 01047674: ClientToScreen.USER32(?,?), ref: 0104769A
Part of subcall function 01047674: GetWindowRect.USER32(?,?), ref: 01047710
Part of subcall function 01047674: PtInRect.USER32(?,?,01048B89), ref: 01047720

SendMessageW.USER32(?,000000B0,?,?), ref: 010491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01049225
SendMessageW.USER32(?,000000B0,?,?), ref: 0104923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01049255
SendMessageW.USER32(?,000000B1,?,?), ref: 01049277
DragFinish.SHELL32(?), ref: 0104927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01049371

Strings

@GUI_DRAGID, xrefs: 010492E9
@GUI_DROPID, xrefs: 0104929E
@GUI_DRAGFILE, xrefs: 01049320

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5a2af7603c86ab4f756e5f25331638754f5ce1c31b48d651989cfdc73a2e47c0
Instruction ID: ae2253eb6521e038e8b83200ec85c573cbeb3966af9fc62f12942e7770802f71
Opcode Fuzzy Hash: 5a2af7603c86ab4f756e5f25331638754f5ce1c31b48d651989cfdc73a2e47c0
Instruction Fuzzy Hash: 84618AB1108301AFD311EF61DD85DAFBBE8EF88350F00092DF591931A0DB759A49CB52

Function 0102C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0102C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0102C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0102C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0102C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0102C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0102C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0102C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0102C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0102C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0102C5F0
InternetCloseHandle.WININET(00000000), ref: 0102C5FB

Strings

, xrefs: 0102C575

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 012cd350f03d708f68900f2c6f273ff4812f5df9624e5cf7d7806dc948b381dc
Instruction ID: 5885097def1df09894162358b9658b889fe87ac5b5a28770c298a016f4f7d28d
Opcode Fuzzy Hash: 012cd350f03d708f68900f2c6f273ff4812f5df9624e5cf7d7806dc948b381dc
Instruction Fuzzy Hash: 05515BB4501629BFFB218F64CB88AAF7BFCFF08744F004419F98696200DB39D9449B60

Function 0104856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 01048592
GetFileSize.KERNEL32(00000000,00000000), ref: 010485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 010485AD
CloseHandle.KERNEL32(00000000), ref: 010485BA
GlobalLock.KERNEL32(00000000), ref: 010485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 010485D7
GlobalUnlock.KERNEL32(00000000), ref: 010485E0
CloseHandle.KERNEL32(00000000), ref: 010485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 010485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0104FC38,?), ref: 01048611
GlobalFree.KERNEL32(00000000), ref: 01048621
GetObjectW.GDI32(?,00000018,000000FF), ref: 01048641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01048671
DeleteObject.GDI32(00000000), ref: 01048699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010486AF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 17ccb7cb7495f71ef0177053ca538e0abb4b2e8c270cf10943bbcfc42efb0864
Instruction ID: 665535d358d681a449629988a202187071508a0efedd70e84b77574a22e76ba5
Opcode Fuzzy Hash: 17ccb7cb7495f71ef0177053ca538e0abb4b2e8c270cf10943bbcfc42efb0864
Instruction Fuzzy Hash: D14151B5601204BFE721DFA9CE88EAE7BB8FF89711F008469F949E7250D7759901CB60

Function 010214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01021502
VariantCopy.OLEAUT32(?,?), ref: 0102150B
VariantClear.OLEAUT32(?), ref: 01021517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010215FB
VarR8FromDec.OLEAUT32(?,?), ref: 01021657
VariantInit.OLEAUT32(?), ref: 01021708
SysFreeString.OLEAUT32(?), ref: 0102178C
VariantClear.OLEAUT32(?), ref: 010217D8
VariantClear.OLEAUT32(?), ref: 010217E7
VariantInit.OLEAUT32(00000000), ref: 01021823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01021625
Default, xrefs: 010216AF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 67301c538f7fbfc53f7d7b2dcec7f9c2855e8a77627d0e2a022e21972de1794a
Instruction ID: f0b9a11fc2477efdb80679a070d03574731df128d0075117eb83fa9d5a23c5fa
Opcode Fuzzy Hash: 67301c538f7fbfc53f7d7b2dcec7f9c2855e8a77627d0e2a022e21972de1794a
Instruction Fuzzy Hash: CDD11571A00235DBEB149F65D985BBDBBF5BF04700F0880DAF596AB180DB38E845DBA1

Function 0103B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0103B80A
RegCloseKey.ADVAPI32(?), ref: 0103B87E
RegCloseKey.ADVAPI32(?), ref: 0103B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0103B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0103B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0103B922
FreeLibrary.KERNEL32(00000000), ref: 0103B983
RegCloseKey.ADVAPI32(00000000), ref: 0103B994

Strings

RegDeleteKeyExW, xrefs: 0103B8FE
advapi32.dll, xrefs: 0103B8ED

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 098f2ecd193aa41fde3e5892c32bc8e8347b51f7542a9939b8dced9f497501e8
Instruction ID: 3cf8cec51e34568a2c64647fd6a5d5f7743616e03835d620d5edd8d08c64fb38
Opcode Fuzzy Hash: 098f2ecd193aa41fde3e5892c32bc8e8347b51f7542a9939b8dced9f497501e8
Instruction Fuzzy Hash: 91C1AF34204201AFE720DF19C895F6ABBE5FF85308F18849DF59A8B292CB75E845CF91

Function 0103255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010325E8
CreateCompatibleDC.GDI32(?), ref: 010325F4
SelectObject.GDI32(00000000,?), ref: 01032601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0103266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010326D0
SelectObject.GDI32(?,?), ref: 010326D8
DeleteObject.GDI32(?), ref: 010326E1
DeleteDC.GDI32(?), ref: 010326E8
ReleaseDC.USER32(00000000,?), ref: 010326F3

Strings

(, xrefs: 0103268D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ea1417a012e73f58bc00514935b1068eb094300e833876d6f189f0a25a544b70
Instruction ID: 81b8627f643561efed6c499d07a028b66fe24966f8cf57d4fccf47814520ae51
Opcode Fuzzy Hash: ea1417a012e73f58bc00514935b1068eb094300e833876d6f189f0a25a544b70
Instruction Fuzzy Hash: 9C6113B5D00219EFDF15CFA4C984AAEBBB9FF48310F208529E995A7250D775A940CF50

Function 00FEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FEDAA1

Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED659
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED66B
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED67D
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED68F
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6A1
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6B3
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6C5
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6D7
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6E9
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED6FB
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED70D
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED71F
Part of subcall function 00FED63C: _free.LIBCMT ref: 00FED731

_free.LIBCMT ref: 00FEDA96

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FEDAB8
_free.LIBCMT ref: 00FEDACD
_free.LIBCMT ref: 00FEDAD8
_free.LIBCMT ref: 00FEDAFA
_free.LIBCMT ref: 00FEDB0D
_free.LIBCMT ref: 00FEDB1B
_free.LIBCMT ref: 00FEDB26
_free.LIBCMT ref: 00FEDB5E
_free.LIBCMT ref: 00FEDB65
_free.LIBCMT ref: 00FEDB82
_free.LIBCMT ref: 00FEDB9A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4973bf0b097167acb3c3e063f432836509675b663a4bbe9793e3f268e849a77
Instruction ID: 90c73366e794c1a2fd6da5dc857c3eed12fdfed3c76830ca41cc49df1f2d23b2
Opcode Fuzzy Hash: b4973bf0b097167acb3c3e063f432836509675b663a4bbe9793e3f268e849a77
Instruction Fuzzy Hash: 06319F31A043899FEB61AA3AEC42B5A77E8FF40320F114429E058D7592EF39ED40F721

Function 0101365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0101369C
_wcslen.LIBCMT ref: 010136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01013797
GetClassNameW.USER32(?,?,00000400), ref: 0101380C
GetDlgCtrlID.USER32(?), ref: 0101385D
GetWindowRect.USER32(?,?), ref: 01013882
GetParent.USER32(?), ref: 010138A0
ScreenToClient.USER32(00000000), ref: 010138A7
GetClassNameW.USER32(?,?,00000100), ref: 01013921
GetWindowTextW.USER32(?,?,00000400), ref: 0101395D

Strings

%s%u, xrefs: 01013734

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 58886ca7454d353f7389b726557579bff9a1a0f13658fa0be11e48d736d1e880
Instruction ID: 4c8188c995d83e03ec1b814bab1f14f32a656333890f7330b7e42a2e7afbfa59
Opcode Fuzzy Hash: 58886ca7454d353f7389b726557579bff9a1a0f13658fa0be11e48d736d1e880
Instruction Fuzzy Hash: 6491B171204206AFE719DF28C884BEAF7E9FF44360F008529FAD9D6184DB38A545CB91

Function 01014954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01014994
GetWindowTextW.USER32(?,?,00000400), ref: 010149DA
_wcslen.LIBCMT ref: 010149EB
CharUpperBuffW.USER32(?,00000000), ref: 010149F7
_wcsstr.LIBVCRUNTIME ref: 01014A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01014A64
GetWindowTextW.USER32(?,?,00000400), ref: 01014A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01014AE6
GetClassNameW.USER32(?,?,00000400), ref: 01014B20
GetWindowRect.USER32(?,?), ref: 01014B8B

Strings

ThumbnailClass, xrefs: 01014A6F, 01014AF1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 1874555517b125b83d9fd9e82b79cac39cdaf8f3ee7f6857bbe3acc07a38adef
Instruction ID: d08d1b6c3b7c9335ac261174cd3f325abfd0e266c89c57fac04e51c0bc067ac8
Opcode Fuzzy Hash: 1874555517b125b83d9fd9e82b79cac39cdaf8f3ee7f6857bbe3acc07a38adef
Instruction Fuzzy Hash: 2391B2710042059FEB15DF18C984BAA7BE9FF44314F0484A9FEC5DA1AADB38E945CBA1

Function 0101BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01081990,000000FF,00000000,00000030), ref: 0101BFAC
SetMenuItemInfoW.USER32(01081990,00000004,00000000,00000030), ref: 0101BFE1
Sleep.KERNEL32(000001F4), ref: 0101BFF3
GetMenuItemCount.USER32(?), ref: 0101C039
GetMenuItemID.USER32(?,00000000), ref: 0101C056
GetMenuItemID.USER32(?,-00000001), ref: 0101C082
GetMenuItemID.USER32(?,?), ref: 0101C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101C145

Strings

0, xrefs: 0101BF3D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 34e06f60d5d6d2152a2dfb5e7fb121c98e38049168c31cdfbb41012d1c4ea817
Instruction ID: 405788cbb811c02dd9661faf74d3ca315d6810072feaba64ff389feb48f79115
Opcode Fuzzy Hash: 34e06f60d5d6d2152a2dfb5e7fb121c98e38049168c31cdfbb41012d1c4ea817
Instruction Fuzzy Hash: 066184B0940246AFFF21CF68CA88AEE7FB4FB46344F044155F991A3245C739E945CB60

Function 0103CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0103CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0103CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0103CD48

Part of subcall function 0103CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0103CCAA
Part of subcall function 0103CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0103CCBD
Part of subcall function 0103CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0103CCCF
Part of subcall function 0103CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0103CD05
Part of subcall function 0103CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0103CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0103CCF3

Strings

RegDeleteKeyExW, xrefs: 0103CCC9
advapi32.dll, xrefs: 0103CCB8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 38fc5f615258d1eb852bbb363066371d299e778db7fd842e29edaf6154670a60
Instruction ID: 060f28e66b44d27fc37b070ac37edd57ed40b400f54076f62488ccfc42254b21
Opcode Fuzzy Hash: 38fc5f615258d1eb852bbb363066371d299e778db7fd842e29edaf6154670a60
Instruction Fuzzy Hash: 813182B5902129BBF7319A55DE88EFFBFBCEF46640F000166F981E2104DA349A45DBA0

Function 01023D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01023D40
_wcslen.LIBCMT ref: 01023D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01023D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01023DBE
RemoveDirectoryW.KERNEL32(?), ref: 01023DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01023E55
CloseHandle.KERNEL32(00000000), ref: 01023E60
CloseHandle.KERNEL32(00000000), ref: 01023E6B

Strings

:, xrefs: 01023D82
\, xrefs: 01023D77
\??\%s, xrefs: 01023D5B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 5675cdd8f49108b7ea4f6927b9acfbea62852f8dfc2f095afd5d94758c7ef34a
Instruction ID: d39aca26f33015cf4123b197490a038a9052862d53daf4a3d6abcad91b84c09a
Opcode Fuzzy Hash: 5675cdd8f49108b7ea4f6927b9acfbea62852f8dfc2f095afd5d94758c7ef34a
Instruction Fuzzy Hash: BA31D6B6A00119ABEB219BA4DD85FEF37BDFF88700F1040B5F649D6154E77892448B24

Function 0101E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0101E6B4

Part of subcall function 00FCE551: timeGetTime.WINMM(?,?,0101E6D4), ref: 00FCE555

Sleep.KERNEL32(0000000A), ref: 0101E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0101E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0101E727
SetActiveWindow.USER32 ref: 0101E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0101E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0101E773
Sleep.KERNEL32(000000FA), ref: 0101E77E
IsWindow.USER32 ref: 0101E78A
EndDialog.USER32(00000000), ref: 0101E79B

Strings

BUTTON, xrefs: 0101E719

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 20ac09bf909059a9f895da78a0a079f1c91c4e51a717cf3cae03fd56d4402c6d
Instruction ID: c09d88374141d1a6abcff21b339036f933603da3feded4289777ce888040d35b
Opcode Fuzzy Hash: 20ac09bf909059a9f895da78a0a079f1c91c4e51a717cf3cae03fd56d4402c6d
Instruction Fuzzy Hash: 382162B5205205AFFB225F64EEC9A2D3BA9FB49788B444424F9C18215DDB7FAC20CB54

Function 0101E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0101EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0101EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0101EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0101EAA7

Strings

play PlayMe wait, xrefs: 0101EA91
open , xrefs: 0101EA0C
close PlayMe, xrefs: 0101EA6E, 0101EA9B
play PlayMe, xrefs: 0101EAA2
alias PlayMe, xrefs: 0101EA36
status PlayMe mode, xrefs: 0101EA58

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a678142a2f4231faac82d269b22492fb537f0838aaf23eb109aa9ccfaf5889da
Instruction ID: 6767a29330fd9ead0b54abb2502d828e945b6a6b000e608ea55fb31d5086e04c
Opcode Fuzzy Hash: a678142a2f4231faac82d269b22492fb537f0838aaf23eb109aa9ccfaf5889da
Instruction Fuzzy Hash: 5111E331A8026979E720A3A7DC4ADFF7EBCEBC1F00F440429B842A6081EEA51905C9B0

Function 01019F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0101A012
SetKeyboardState.USER32(?), ref: 0101A07D
GetAsyncKeyState.USER32(000000A0), ref: 0101A09D
GetKeyState.USER32(000000A0), ref: 0101A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0101A0E3
GetKeyState.USER32(000000A1), ref: 0101A0F4
GetAsyncKeyState.USER32(00000011), ref: 0101A120
GetKeyState.USER32(00000011), ref: 0101A12E
GetAsyncKeyState.USER32(00000012), ref: 0101A157
GetKeyState.USER32(00000012), ref: 0101A165
GetAsyncKeyState.USER32(0000005B), ref: 0101A18E
GetKeyState.USER32(0000005B), ref: 0101A19C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a140e55a5d4be25cf1d51b789fe3814f43d0721dd8f25d8b3636ddab126c0696
Instruction ID: fd3eaa2535e5730d019f2a1f7a73bcafc7878940b75b885ed367bbdf9494a612
Opcode Fuzzy Hash: a140e55a5d4be25cf1d51b789fe3814f43d0721dd8f25d8b3636ddab126c0696
Instruction Fuzzy Hash: 5451F670A057C86AFB76EBA48510BEABFF49F02284F0885CDD6C2571C6DA5CA64CC761

Function 01015CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01015CE2
GetWindowRect.USER32(00000000,?), ref: 01015CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01015D59
GetDlgItem.USER32(?,00000002), ref: 01015D69
GetWindowRect.USER32(00000000,?), ref: 01015D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01015DCF
GetDlgItem.USER32(?,000003E9), ref: 01015DDD
GetWindowRect.USER32(00000000,?), ref: 01015DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01015E31
GetDlgItem.USER32(?,000003EA), ref: 01015E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01015E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01015E67

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6a8395f211012ff490f901d4a3970e94226c34a6adf3f03c293142b7b1fcec4c
Instruction ID: f5fcf6b151477c091a3b9a05449170bd26e9c7c6364389e2f53e6e227d6b3fab
Opcode Fuzzy Hash: 6a8395f211012ff490f901d4a3970e94226c34a6adf3f03c293142b7b1fcec4c
Instruction Fuzzy Hash: 55511CB4B00205AFDB18DF68CE89AAEBBF5FB89300F508169F955E7294D775AD00CB50

Function 00FC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC8BE8,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8FC5

DestroyWindow.USER32(?), ref: 00FC8C81
KillTimer.USER32(00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 00FC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01006973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 010069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000,?), ref: 010069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FC8BBA,00000000), ref: 010069D4
DeleteObject.GDI32(00000000), ref: 010069E6

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7ab3213d8a16c64b5c8f604fc3c34f538bfe73bd30b8415fcb112ee62cc265fa
Instruction ID: f168de3497e9d3d258fc2dbc652c589944f3122488471a0bf1f0654e457e3ca2
Opcode Fuzzy Hash: 7ab3213d8a16c64b5c8f604fc3c34f538bfe73bd30b8415fcb112ee62cc265fa
Instruction Fuzzy Hash: EC618931506602DFEB36DF18DB4AB6977F2FF41352F14455CE0C286994CB3AA892EB90

Function 00FC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9944: GetWindowLongW.USER32(?,000000EB), ref: 00FC9952

GetSysColor.USER32(0000000F), ref: 00FC9862

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 61a826c2e93bb0fcd80412a77e8d8d275921c2e663f3a8fb017f6696efa52286
Instruction ID: 749bdb73eb1802dca3f6f05c13c2812a74dc0d172a0024b028670b36942aa436
Opcode Fuzzy Hash: 61a826c2e93bb0fcd80412a77e8d8d275921c2e663f3a8fb017f6696efa52286
Instruction Fuzzy Hash: BC413531504640AFEB314F389A89FB93BA5FB07331F544249FAE2871E1C7B69842EB10

Function 010196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01019717
LoadStringW.USER32(00000000,?,00FFF7F8,00000001), ref: 01019720

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01019742
LoadStringW.USER32(00000000,?,00FFF7F8,00000001), ref: 01019745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01019866

Strings

Line %d (File "%s"):, xrefs: 0101978F
^ ERROR, xrefs: 010197FB
%s (%d) : ==> %s: %s %s, xrefs: 0101984A
Line %d:, xrefs: 010197A0
Error: , xrefs: 0101981D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 66e0404303cc4eaea4c2889937f1c676b647dc6a0ce97f7d2dba4b005a0a4692
Instruction ID: d8b8e26d54bbc0402b87c42ddc18c42487c59a4eade9d7fdf12734ab0c4225ed
Opcode Fuzzy Hash: 66e0404303cc4eaea4c2889937f1c676b647dc6a0ce97f7d2dba4b005a0a4692
Instruction Fuzzy Hash: 1B418E7280420AABDB04EBE1CE92DEEB779AF14304F540025F60172096EB796F48DF60

Function 010106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01010804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0101082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01010837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0101083C

Strings

\CLSID, xrefs: 01010724
\IPC$, xrefs: 01010784
SOFTWARE\Classes\, xrefs: 0101070E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 79d383d82d86e687c17f52f18570dffeb38b0d85371a308565fbf2c56d928e93
Instruction ID: 9eafbc7cb1b762f5424b174b7f1a98048391dadef0171a6f0bfefeafdb16ae05
Opcode Fuzzy Hash: 79d383d82d86e687c17f52f18570dffeb38b0d85371a308565fbf2c56d928e93
Instruction Fuzzy Hash: 20414672C00228ABDF21EBA5DC85CEEB7B8BF04340B444169F981A7155EB399A44DFA0

Function 01043F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0104403B
CreateCompatibleDC.GDI32(00000000), ref: 01044042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01044055
SelectObject.GDI32(00000000,00000000), ref: 0104405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01044068
DeleteDC.GDI32(00000000), ref: 01044072
GetWindowLongW.USER32(?,000000EC), ref: 0104407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01044092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0104409E

Strings

static, xrefs: 01043FD3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3d4ec5ea20c497022f8582e2cb85fc42270da2d5a58874625bf1fb66982ce08e
Instruction ID: 70bb3ff37b65e95b5448aafa8ef4b07bf34f00d22258551019d97bed79ae718d
Opcode Fuzzy Hash: 3d4ec5ea20c497022f8582e2cb85fc42270da2d5a58874625bf1fb66982ce08e
Instruction Fuzzy Hash: DE3163B5101215AFEF229FA8DD84FDA3BA8FF0D324F010225FA98E6190C776D860DB54

Function 01033C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01033C5C
CoInitialize.OLE32(00000000), ref: 01033C8A
CoUninitialize.OLE32 ref: 01033C94
_wcslen.LIBCMT ref: 01033D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01033DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01033ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01033F0E
CoGetObject.OLE32(?,00000000,0104FB98,?), ref: 01033F2D
SetErrorMode.KERNEL32(00000000), ref: 01033F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01033FC4
VariantClear.OLEAUT32(?), ref: 01033FD8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a73e65d80eb157bed77e4f0044ace232e172586b1f716f4524502542a261d381
Instruction ID: 9b79e729b0a72f6c293053e31b9eff424417b3bd437ecaaed07699c2fd539351
Opcode Fuzzy Hash: a73e65d80eb157bed77e4f0044ace232e172586b1f716f4524502542a261d381
Instruction Fuzzy Hash: 15C130B1608205AFD700DF68C98496BBBE9FFC9748F00495DF98A9B250DB31ED05CB62

Function 01027A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01027AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01027B8F
SHGetDesktopFolder.SHELL32(?), ref: 01027BA3
CoCreateInstance.OLE32(0104FD08,00000000,00000001,01076E6C,?), ref: 01027BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01027C74
CoTaskMemFree.OLE32(?,?), ref: 01027CCC
SHBrowseForFolderW.SHELL32(?), ref: 01027D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01027D7A
CoTaskMemFree.OLE32(00000000), ref: 01027D81
CoTaskMemFree.OLE32(00000000), ref: 01027DD6
CoUninitialize.OLE32 ref: 01027DDC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7be5fd960bbfb25df7fe4560270e664e527bf99892df4731cb1d5d578f09f27e
Instruction ID: 130a4c421a298687c8f3bc3b71746e08d91dfa941b142d470b49b57c5af58be6
Opcode Fuzzy Hash: 7be5fd960bbfb25df7fe4560270e664e527bf99892df4731cb1d5d578f09f27e
Instruction Fuzzy Hash: 3AC15A75A00119AFDB10DFA4C984DAEBBF9FF48304B148099E95ADB261DB35ED41CF90

Function 0104541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01045504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01045515
CharNextW.USER32(00000158), ref: 01045544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01045585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0104559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010455AC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d5e9dbba1298d340e55499dc7edec87fc48e05251f1203dca0489d19ccb6fab5
Instruction ID: c1812c1f21db25d5de79156116ff270b87f8f7a2ff096b1c1af1afeb10483791
Opcode Fuzzy Hash: d5e9dbba1298d340e55499dc7edec87fc48e05251f1203dca0489d19ccb6fab5
Instruction Fuzzy Hash: E361B4F4904209AFEF209F54CDC49FE7BB9EF0A724F008165FAA59B280D7759A41CB60

Function 0100FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0100FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0100FB08
VariantInit.OLEAUT32(?), ref: 0100FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0100FB3A
VariantCopy.OLEAUT32(?,?), ref: 0100FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0100FBA1
VariantClear.OLEAUT32(?), ref: 0100FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0100FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0100FBCC
VariantClear.OLEAUT32(?), ref: 0100FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0100FBE9

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 55b9c58969ef0bb6115a652c3c31d6ea3e948f39b37748343c3ee0605afe8ab6
Instruction ID: 0fb7250ec9d79f920c610c1dda6d305b7b43c31d270a36220388b26203e2e684
Opcode Fuzzy Hash: 55b9c58969ef0bb6115a652c3c31d6ea3e948f39b37748343c3ee0605afe8ab6
Instruction Fuzzy Hash: 6D419374A0021ADFEB11DF68CA949EEBBB9FF48344F008055E985A7250CB35E945DFA0

Function 01019C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01019CA1
GetAsyncKeyState.USER32(000000A0), ref: 01019D22
GetKeyState.USER32(000000A0), ref: 01019D3D
GetAsyncKeyState.USER32(000000A1), ref: 01019D57
GetKeyState.USER32(000000A1), ref: 01019D6C
GetAsyncKeyState.USER32(00000011), ref: 01019D84
GetKeyState.USER32(00000011), ref: 01019D96
GetAsyncKeyState.USER32(00000012), ref: 01019DAE
GetKeyState.USER32(00000012), ref: 01019DC0
GetAsyncKeyState.USER32(0000005B), ref: 01019DD8
GetKeyState.USER32(0000005B), ref: 01019DEA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e85e5f3924b5e8b33e3e1c7b323ce8604fad385ab3448b50f29f7937e5c9be41
Instruction ID: 97c50702794176a24cc2477290094bbeda338ab6110f1063bf3855ca78200e98
Opcode Fuzzy Hash: e85e5f3924b5e8b33e3e1c7b323ce8604fad385ab3448b50f29f7937e5c9be41
Instruction Fuzzy Hash: 1C41E5346047C96AFFB29668C5643B5BEE06B01308F4880DEDAC6565C7DBAD91C8C7A2

Function 0103055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010305BC
inet_addr.WSOCK32(?), ref: 0103061C
gethostbyname.WSOCK32(?), ref: 01030628
IcmpCreateFile.IPHLPAPI ref: 01030636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010307B9
WSACleanup.WSOCK32 ref: 010307BF

Strings

Ping, xrefs: 01030676

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8a7b3645d0f77e3a8702366dc62843bc40e52dff262f98b38a9704c4ccba46ce
Instruction ID: 92aadd0b4a5f84c0bb2fec145d83339d26804eff1dd95bc6fd5746a3e48379d1
Opcode Fuzzy Hash: 8a7b3645d0f77e3a8702366dc62843bc40e52dff262f98b38a9704c4ccba46ce
Instruction Fuzzy Hash: 5691C3749052019FE321CF19C989F1ABBE4BF84318F048599F5AA8B7A6C735EC45CF91

Function 01038CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01038CF3

Part of subcall function 01018E54: _wcslen.LIBCMT ref: 01018E77

_wcslen.LIBCMT ref: 01038D4E
_wcslen.LIBCMT ref: 01038D9C
_wcslen.LIBCMT ref: 01038DDC
_wcslen.LIBCMT ref: 01038E6E

Strings

none, xrefs: 01038E65, 01038E6A
winapi, xrefs: 01038D96, 01038D9B
stdcall, xrefs: 01038DD6, 01038DDB
cdecl, xrefs: 01038D48, 01038D4D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1abfc9e8a769c206ca23f5d985736cf79983ded89c6c4a6ee2a5c1e12aa5091d
Instruction ID: bae8a822edfc28dc62f61076d3113e1f51b205a74666ba1fa50e950a179c98ba
Opcode Fuzzy Hash: 1abfc9e8a769c206ca23f5d985736cf79983ded89c6c4a6ee2a5c1e12aa5091d
Instruction Fuzzy Hash: 1351C431A001169BCF15EF6CC9508BEB7E9BF94720B2483AAF5A6E7285D735DD40C7A0

Function 0103372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01033774
CoUninitialize.OLE32 ref: 0103377F
CoCreateInstance.OLE32(?,00000000,00000017,0104FB78,?), ref: 010337D9
IIDFromString.OLE32(?,?), ref: 0103384C
VariantInit.OLEAUT32(?), ref: 010338E4
VariantClear.OLEAUT32(?), ref: 01033936

Strings

Failed to create object, xrefs: 010337E4, 0103389A
NULL Pointer assignment, xrefs: 0103381E
Invalid parameter, xrefs: 01033865

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 5ba7f33911b9f90c4d47f296ec1cf7164d2a96f96a8379331f543ac4fc6e3e9e
Instruction ID: 7f631f2afbb3b3618427e714c55ea0764ae0b66b6dcbadf35db226759cfda0ff
Opcode Fuzzy Hash: 5ba7f33911b9f90c4d47f296ec1cf7164d2a96f96a8379331f543ac4fc6e3e9e
Instruction Fuzzy Hash: 80619C74608301AFD321DF54C989BAABBE8BF89714F00085DF9C59B291C774E948CB92

Function 01023388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010233CF

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010233F0

Strings

Line %d (File "%s"):, xrefs: 01023443, 0102345C
"%s" (%d) : ==> %s:, xrefs: 01023522
^ ERROR , xrefs: 0102349E
Incorrect parameters to object property !, xrefs: 010234AB
"%s" (%d) : ==> %s:%s%s, xrefs: 01023504
Error: , xrefs: 010234D1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7cb0caac44bc7a1763fece61f473f5eb44fd2e4dd38144b4e3825afca1d14be9
Instruction ID: 1e27c79796ca1e095b1125224ff9423b2d1e3714426d4cc16bb2f94801398016
Opcode Fuzzy Hash: 7cb0caac44bc7a1763fece61f473f5eb44fd2e4dd38144b4e3825afca1d14be9
Instruction Fuzzy Hash: 1951AF7180021AABDF14EBA1CE42EEEB7B9AF18340F544065F14576051EB3A6F98EF60

Function 0101B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0101B5FC
_wcslen.LIBCMT ref: 0101B608
_wcslen.LIBCMT ref: 0101B64D
_wcslen.LIBCMT ref: 0101B68C
_wcslen.LIBCMT ref: 0101B6C7

Strings

REMOVE, xrefs: 0101B602, 0101B607
APPEND, xrefs: 0101B6C1, 0101B6C6
KEYS, xrefs: 0101B647, 0101B64C
EXISTS, xrefs: 0101B686, 0101B68B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: db5cc2f033e14e9ce3333a026d440e6e2570b5a327a8659431f671696be4f246
Instruction ID: 344037a81e8ad4996cbbe34c8fae9f490b3d83c2d954e6abbb0ab0502a029b20
Opcode Fuzzy Hash: db5cc2f033e14e9ce3333a026d440e6e2570b5a327a8659431f671696be4f246
Instruction Fuzzy Hash: E7412932A000268BCB206F7DCC905BEBBF1BF78694B144569E5A1D7289F73DC881C790

Function 01025393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01025416
GetLastError.KERNEL32 ref: 01025420
SetErrorMode.KERNEL32(00000000,READY), ref: 010254A7

Strings

READONLY, xrefs: 01025452
NOTREADY, xrefs: 0102544B
READY, xrefs: 01025460, 01025468
INVALID, xrefs: 01025459
UNKNOWN, xrefs: 01025444

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8bf968f0f3c3e940781094b82272a955aca0e891e095b49871db0132b5152493
Instruction ID: 09bcd0a8200c8e2ae209060d5bab76cb7b44dae8602b93fb3a2c901d8677e1d1
Opcode Fuzzy Hash: 8bf968f0f3c3e940781094b82272a955aca0e891e095b49871db0132b5152493
Instruction Fuzzy Hash: B931A075A002149FE711DF68C984AEABBF4FF45309F048096E946CB292DB75ED46CB90

Function 01043C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01043C79
SetMenu.USER32(?,00000000), ref: 01043C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01043D10
IsMenu.USER32(?), ref: 01043D24
CreatePopupMenu.USER32 ref: 01043D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01043D5B
DrawMenuBar.USER32 ref: 01043D63

Strings

F, xrefs: 01043D4E
0, xrefs: 01043C54

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 80e646026f6307c884699bf949e28201bb044dfb89809b3146799fdf846f1287
Instruction ID: 4f3265965213ce97a016f897a0070f44530edacb5266dcc77e4e031b1141f351
Opcode Fuzzy Hash: 80e646026f6307c884699bf949e28201bb044dfb89809b3146799fdf846f1287
Instruction Fuzzy Hash: BD418DB8A01219AFEB24DF64E984A9E7BF5FF49310F040068FAC69B350D735A910CF94

Function 01011FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01012043
GetDlgCtrlID.USER32 ref: 0101204E
GetParent.USER32 ref: 0101206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101206D
GetDlgCtrlID.USER32(?), ref: 01012076
GetParent.USER32(?), ref: 0101208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101208D

Strings

ListBox, xrefs: 01012002
ComboBox, xrefs: 01011FCD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 94179b4190ef3499931684abe1a2c45b8f63ad891bb2d4a1ed05430b2d010fa0
Instruction ID: ae9c9961b5a7303f2d501f078f46581937d5c69dcd334541a8035bc550b5b835
Opcode Fuzzy Hash: 94179b4190ef3499931684abe1a2c45b8f63ad891bb2d4a1ed05430b2d010fa0
Instruction Fuzzy Hash: A921FFB5900218BBDF11AFA0CD84EFEBFB8AF08300F104045BA95A7196DA7E9404DB60

Function 01043A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01043A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01043AA0
GetWindowLongW.USER32(?,000000F0), ref: 01043AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01043AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01043B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01043BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01043BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01043BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01043BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01043C13

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: efbd51dd73f3366a9a2f20f8aa8b1f22ab6d884532d08f3d0fc6daf648529621
Instruction ID: 1579072107cc0897af28ddc8dbca7ca3ed0a787975245045b42f99abb18caf7f
Opcode Fuzzy Hash: efbd51dd73f3366a9a2f20f8aa8b1f22ab6d884532d08f3d0fc6daf648529621
Instruction Fuzzy Hash: 7D6159B5900218AFDB20DFA8CC81EEE77F8BF09700F1041A9EA95AB291C774A945DB50

Function 0101B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0101B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B165
GetWindowThreadProcessId.USER32(00000000), ref: 0101B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0101B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0101A1E1,?,00000001), ref: 0101B21D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ed0f184e855777b9a56b2332480f1bd168422173e8dd34e4a03273094b0895d
Instruction ID: 52e850520752afe0b3c44dd1b9ffeb3076f4ea892b1538d785d3e21a038d242c
Opcode Fuzzy Hash: 6ed0f184e855777b9a56b2332480f1bd168422173e8dd34e4a03273094b0895d
Instruction Fuzzy Hash: 0A31F5B5100604BFEB359F68D994FAD7BB9BB95711F108044FAC0CA188C7BDD8018F20

Function 00FE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE2C94

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FE2CA0
_free.LIBCMT ref: 00FE2CAB
_free.LIBCMT ref: 00FE2CB6
_free.LIBCMT ref: 00FE2CC1
_free.LIBCMT ref: 00FE2CCC
_free.LIBCMT ref: 00FE2CD7
_free.LIBCMT ref: 00FE2CE2
_free.LIBCMT ref: 00FE2CED
_free.LIBCMT ref: 00FE2CFB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: acee691b7dff52a68b8ec3917334d22aa886d9ab1f50b593634eaa98bb948c8e
Instruction ID: 84606fcfc17b61cd01b7b8bd839f31c9fd2f53774bdb59127380fe9b30c41a78
Opcode Fuzzy Hash: acee691b7dff52a68b8ec3917334d22aa886d9ab1f50b593634eaa98bb948c8e
Instruction Fuzzy Hash: 7811C67610014CAFCB82EF5ADC42CDD3BB9FF05350F425490F9485B222E639EA50BB91

Function 00FB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FB1459
OleUninitialize.OLE32(?,00000000), ref: 00FB14F8
UnregisterHotKey.USER32(?), ref: 00FB16DD
DestroyWindow.USER32(?), ref: 00FF24B9
FreeLibrary.KERNEL32(?), ref: 00FF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FF254B

Strings

close all, xrefs: 00FB1454

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5ba635eca64b36eecf10872370d275f7d0717b14820326e104ec3005bde01452
Instruction ID: 7c9b9b19b913af0a14a7eabb4c3c2479231597fb8f4e303f563b4d915a34ea99
Opcode Fuzzy Hash: 5ba635eca64b36eecf10872370d275f7d0717b14820326e104ec3005bde01452
Instruction Fuzzy Hash: 73D1C231702212CFDB29EF15C9A9B69F7A1BF05710F5841ADE54AAB261CB34EC12EF50

Function 01027DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01027FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01027FC1
GetFileAttributesW.KERNEL32(?), ref: 01027FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01028005
SetCurrentDirectoryW.KERNEL32(?), ref: 01028017
SetCurrentDirectoryW.KERNEL32(?), ref: 01028060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010280B0

Strings

*.*, xrefs: 01028066

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0ca43ab246d35a145c8fa4c2d29e8a381e92118b8867db6bd5580a7e8e41faa2
Instruction ID: 2e349e69ef1395d745b00b4b663212f5cd725403fe0b498afc28bc4d7ef5533d
Opcode Fuzzy Hash: 0ca43ab246d35a145c8fa4c2d29e8a381e92118b8867db6bd5580a7e8e41faa2
Instruction Fuzzy Hash: 0881C2725043119BDB64EF18C8849AEB7E8BF98310F148C5EF9C5C7251E739E945CBA2

Function 00FB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FB5C7A

Part of subcall function 00FB5D0A: GetClientRect.USER32(?,?), ref: 00FB5D30
Part of subcall function 00FB5D0A: GetWindowRect.USER32(?,?), ref: 00FB5D71
Part of subcall function 00FB5D0A: ScreenToClient.USER32(?,?), ref: 00FB5D99

GetDC.USER32 ref: 00FF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FF4708
SelectObject.GDI32(00000000,00000000), ref: 00FF4716
SelectObject.GDI32(00000000,00000000), ref: 00FF472B
ReleaseDC.USER32(?,00000000), ref: 00FF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FF47C4

Strings

U, xrefs: 00FF4693

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 16883055be64d7cdea2924965c37357583419feed9a58c1cbf25ee7d0529f3a3
Instruction ID: f95c2f794b3199f8309eac597c0f52e84cb6eaa9a65b95b055d486045819d1e9
Opcode Fuzzy Hash: 16883055be64d7cdea2924965c37357583419feed9a58c1cbf25ee7d0529f3a3
Instruction Fuzzy Hash: B971F376800209DFCF219F64C984AFB7BB2FF4A364F144269EE919A179C335A841EF50

Function 0102359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010235E4

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

LoadStringW.USER32(01082390,?,00000FFF,?), ref: 0102360A

Strings

Line %d (File "%s"):, xrefs: 0102366B
"%s" (%d) : ==> %s:, xrefs: 01023742
^ ERROR, xrefs: 010236C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01023724
Error: , xrefs: 010236EF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: bc4e59cbfc663ffbf7ed1ef6f4feffbec0ba40896db840c1dc46da686c24b7bf
Instruction ID: 7a7056087d6932037015b2adaac1e9281d33fe925db0ddabd15fba86aba58a04
Opcode Fuzzy Hash: bc4e59cbfc663ffbf7ed1ef6f4feffbec0ba40896db840c1dc46da686c24b7bf
Instruction Fuzzy Hash: 8A51A071C0021ABBDF24EBA1CC82EEEBB79BF14300F544165F24576051DB395A99EFA0

Function 0102C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0102C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0102C2CA
GetLastError.KERNEL32 ref: 0102C322
SetEvent.KERNEL32(?), ref: 0102C336
InternetCloseHandle.WININET(00000000), ref: 0102C341

Strings

, xrefs: 0102C2BB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 02ef89064dafa8935bbc43d99a2f7e0f2993f18100162b27e060c68605fad0d5
Instruction ID: 521e8f971c50e9a5a91dbf990b22d4a2406256d073403268618df643fe5d3edb
Opcode Fuzzy Hash: 02ef89064dafa8935bbc43d99a2f7e0f2993f18100162b27e060c68605fad0d5
Instruction Fuzzy Hash: A831A2B1500614AFF731DF688B84AAF7BFCEB49644B04895DE4CAD3200DB75DA448B60

Function 0101989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FF3AAF,?,?,Bad directive syntax error,0104CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010198BC
LoadStringW.USER32(00000000,?,00FF3AAF,?), ref: 010198C3

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01019987

Strings

., xrefs: 0101996D
Line %d (File "%s"):, xrefs: 0101992D
%s (%d) : ==> %s.: %s %s, xrefs: 010198F1
Line %d:, xrefs: 01019912
Error: , xrefs: 01019955

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 614f354ff2d36305073012bf7f0a4f88f4679a7eef3618a4d13c1b9b43444c6e
Instruction ID: 28b0163a08152313af14063ee6056dee99eb8c968a0247a3dc14c6dc21a19c39
Opcode Fuzzy Hash: 614f354ff2d36305073012bf7f0a4f88f4679a7eef3618a4d13c1b9b43444c6e
Instruction Fuzzy Hash: 7121A031C4021EBBDF11AF91CC46EEE7B76BF18304F044469F655660A2EB7A9658DF10

Function 0101209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0101214D

Strings

largeicons, xrefs: 010120E1
details, xrefs: 010120FB
SHELLDLL_DefView, xrefs: 010120CC
list, xrefs: 0101212F
smallicons, xrefs: 01012115

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6e730aa9130c38932f496d9fcf5af03e1561afc4c66b2974cb628206411b3aba
Instruction ID: 6872161c5fefbdbff34f14ea41fc951f5e4823afac3801d4591210f27bde6b29
Opcode Fuzzy Hash: 6e730aa9130c38932f496d9fcf5af03e1561afc4c66b2974cb628206411b3aba
Instruction Fuzzy Hash: 02113D7E584306B6F6157524DC06CFA339CCB15324B30005AFB84A8096FA7D74015A18

Function 00FE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85c585f87b38ac7ec176d0d37f9ccd66126197b84f65351b33e1393e7fc1d75
Instruction ID: 48425190d77af11c2b32ca5bfc872d0380ac03574edf7ca640afa96e3f296b60
Opcode Fuzzy Hash: f85c585f87b38ac7ec176d0d37f9ccd66126197b84f65351b33e1393e7fc1d75
Instruction Fuzzy Hash: F6C12775D082C99FCB11EFAACC40BAD7BB1AF09320F044199F559A7392C7798941EB70

Function 00FECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FECEB7
_free.LIBCMT ref: 00FECF22
_free.LIBCMT ref: 00FECF48
_free.LIBCMT ref: 00FECF71
_free.LIBCMT ref: 00FECFA9
_free.LIBCMT ref: 00FECFDA
_free.LIBCMT ref: 00FED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FED09C
_free.LIBCMT ref: 00FED0B5

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 25a0ebe6e278a9aaac0911378e6fbd98e0a7d59347e170ba4b19bb2693ed01ce
Instruction ID: fcbff18871cdf071d1e6cde6d1df71ba479c73c54c2dcd36b3343c1e9bc74cf9
Opcode Fuzzy Hash: 25a0ebe6e278a9aaac0911378e6fbd98e0a7d59347e170ba4b19bb2693ed01ce
Instruction Fuzzy Hash: CD613B72D043C46FDB21AF769C41A6D7BA5AF05320F04416EF98197246E73A9D02B7A1

Function 010450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01045186
ShowWindow.USER32(?,00000000), ref: 010451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010451D1

Part of subcall function 01046FBA: DeleteObject.GDI32(00000000), ref: 01046FE6

GetWindowLongW.USER32(?,000000F0), ref: 0104520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0104521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01045287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01045296

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aa06062ed3d3470cb30185c1c93e956d62179caef898f43797832abba3887389
Instruction ID: d21710cf8813dec88a680676ac0ac6a0b35a72157ebd40dc425dbf9de134eb8f
Opcode Fuzzy Hash: aa06062ed3d3470cb30185c1c93e956d62179caef898f43797832abba3887389
Instruction Fuzzy Hash: CF51B5B0A41209BFFF309E28CDCABD93BA5FF45321F148062F695962E1D775A580DB41

Function 00FC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01006890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FC8874,00000000,00000000,00000000,000000FF,00000000), ref: 01006901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0100691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FC8874,00000000,00000000,00000000,000000FF,00000000), ref: 0100692D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bd9ad2f3a676178766c0546e142e364066a1f0e181d4b939a533af1feb8ca0f4
Instruction ID: 8f7237f42310ca5ce58abd9a817eeee3cde6754f8147af49ae39fa26c6de8404
Opcode Fuzzy Hash: bd9ad2f3a676178766c0546e142e364066a1f0e181d4b939a533af1feb8ca0f4
Instruction Fuzzy Hash: 4F516DB0600206EFEB21CF24C986FAA7BB6FF84750F104518F986972D0DB76E951DB50

Function 0102C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0102C182
GetLastError.KERNEL32 ref: 0102C195
SetEvent.KERNEL32(?), ref: 0102C1A9

Part of subcall function 0102C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102C272
Part of subcall function 0102C253: GetLastError.KERNEL32 ref: 0102C322
Part of subcall function 0102C253: SetEvent.KERNEL32(?), ref: 0102C336
Part of subcall function 0102C253: InternetCloseHandle.WININET(00000000), ref: 0102C341

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 232aedf45038018b8424d9fe5d94a60415572e710437672e3050c1fa87938896
Instruction ID: 640084dff43e9a1509816410361e1e9bb4bbc807213df7be13b10917ecf36c07
Opcode Fuzzy Hash: 232aedf45038018b8424d9fe5d94a60415572e710437672e3050c1fa87938896
Instruction Fuzzy Hash: AB31A0B5101651AFFB319FA9DB44A6EBBF8FF19200B00441DF99A83604DB36E414DBA0

Function 010125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01012601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01012605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0101260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01012623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01012627

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: accd2ec66694d5056f725708e02febd7befb873eae7f604a63714d180d40a7cb
Instruction ID: dc9f13e224ddc11458fa0f06c0b6388d65d3c85390d919aecb7b065fa3491c46
Opcode Fuzzy Hash: accd2ec66694d5056f725708e02febd7befb873eae7f604a63714d180d40a7cb
Instruction Fuzzy Hash: A301D871791210BBFB2066689DCAF593F59EB4EB11F500001F398AE0D8C9F624448BA9

Function 01011803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01011449,?,?,00000000), ref: 0101180C
HeapAlloc.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 01011813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01011449,?,?,00000000), ref: 01011828
GetCurrentProcess.KERNEL32(?,00000000,?,01011449,?,?,00000000), ref: 01011830
DuplicateHandle.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 01011833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01011449,?,?,00000000), ref: 01011843
GetCurrentProcess.KERNEL32(01011449,00000000,?,01011449,?,?,00000000), ref: 0101184B
DuplicateHandle.KERNEL32(00000000,?,01011449,?,?,00000000), ref: 0101184E
CreateThread.KERNEL32(00000000,00000000,01011874,00000000,00000000,00000000), ref: 01011868

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 72a351420129b8021671a6c52212de14f23487cf284d129d59264ab2377bb0e2
Instruction ID: ced7f5abe87cf8049183c6992050c25ae0887f4cc5b7670900e200c84eb09805
Opcode Fuzzy Hash: 72a351420129b8021671a6c52212de14f23487cf284d129d59264ab2377bb0e2
Instruction Fuzzy Hash: 6601BFB5241304BFF720ABB5DE8DF573B6CEB89B11F004411FA45DB195C6759800CB20

Function 0103A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0101D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0101D501
Part of subcall function 0101D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0101D50F
Part of subcall function 0101D4DC: CloseHandle.KERNEL32(00000000), ref: 0101D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103A16D
GetLastError.KERNEL32 ref: 0103A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0103A268
GetLastError.KERNEL32(00000000), ref: 0103A273
CloseHandle.KERNEL32(00000000), ref: 0103A2C4

Strings

SeDebugPrivilege, xrefs: 0103A18F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 58bf0a142bb3184e53ab1b3b7c6752b42eb0631f90ef3f215efef377c7d28de7
Instruction ID: 7efbd9fdcc761551708f6b1fb2cf14a92f82e6ceadb5430050687fcee52e1a6c
Opcode Fuzzy Hash: 58bf0a142bb3184e53ab1b3b7c6752b42eb0631f90ef3f215efef377c7d28de7
Instruction Fuzzy Hash: 4761B374204242DFE720DF19C494F6ABBE5AF84318F18848CE5E68B7A3C776E945CB91

Function 01043886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01043925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0104393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01043954
_wcslen.LIBCMT ref: 01043999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010439F4

Strings

SysListView32, xrefs: 010438F7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 9a5e152c003ed892af0bcfd5e53ccace4329f1f3e68e02d86003adab1eb94f09
Instruction ID: 4c3704be7119cf9d01c791312b8dcd4247625003295a869204a19c8873c31b7e
Opcode Fuzzy Hash: 9a5e152c003ed892af0bcfd5e53ccace4329f1f3e68e02d86003adab1eb94f09
Instruction Fuzzy Hash: DE4197B1A00319ABEF219F64CC85BEE7BA9FF08350F10156AF994EB281D7759950CB90

Function 0101BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0101BCFD
IsMenu.USER32(00000000), ref: 0101BD1D
CreatePopupMenu.USER32 ref: 0101BD53
GetMenuItemCount.USER32(01625E98), ref: 0101BDA4
InsertMenuItemW.USER32(01625E98,?,00000001,00000030), ref: 0101BDCC

Strings

2, xrefs: 0101BD37
0, xrefs: 0101BCA8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2f7bef85db78c9f44a797cfb0df7d3f38a429c97d19c8e7856b8a3a72adc8b78
Instruction ID: 7ffcce6f62ca112f8f4478ece3632145fe7639d5b7b8e87d4b77f64d61ced8be
Opcode Fuzzy Hash: 2f7bef85db78c9f44a797cfb0df7d3f38a429c97d19c8e7856b8a3a72adc8b78
Instruction Fuzzy Hash: BD5121706002059BEF28EFACC9C4BAEBFF4BF45314F544199E581DB288E7789941CB52

Function 0101C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0101C913

Strings

info, xrefs: 0101C8B4
question, xrefs: 0101C8CC
stop, xrefs: 0101C8E4
warning, xrefs: 0101C8FC
blank, xrefs: 0101C895

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a673924f3ced525eb902be03f14d9d13dc3facfe3b9c71889165906184ef5db5
Instruction ID: d4a6c20b188f77d73c09d7fc629b4f3c1c792c19f9c79596279fddf0aee7c38e
Opcode Fuzzy Hash: a673924f3ced525eb902be03f14d9d13dc3facfe3b9c71889165906184ef5db5
Instruction Fuzzy Hash: CB110B316C9707BBB7015A589EC3C9E77DDEF05360B10006FF580AA286E77DE9005268

Function 01049F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

GetSystemMetrics.USER32(0000000F), ref: 01049FC7
GetSystemMetrics.USER32(0000000F), ref: 01049FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0104A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0104A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0104A263
ShowWindow.USER32(00000003,00000000), ref: 0104A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0104A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0104A2CA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 24ff3991109c64a05efcb0d0bce6da518b0020804cad51900617f483b96bfe40
Instruction ID: 524e1a3ddc5ae99f998ae8330b7f3b38dd7edd593df62f28fb3cb481e33048ab
Opcode Fuzzy Hash: 24ff3991109c64a05efcb0d0bce6da518b0020804cad51900617f483b96bfe40
Instruction Fuzzy Hash: A7B18AB1640215EBEB14CF6CCAC57AE3BF2BF48741F0481B9ED869B299D735A940CB50

Function 0101ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0101ED2A
_wcslen.LIBCMT ref: 0101ED3B
_wcslen.LIBCMT ref: 0101ED79
_wcslen.LIBCMT ref: 0101EDAF
_wcslen.LIBCMT ref: 0101EDDF
_wcslen.LIBCMT ref: 0101EDEF
_wcslen.LIBCMT ref: 0101EE2B
_wcslen.LIBCMT ref: 0101EE5A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7124936fba6156f1ffec1790a00116bcea5e754886dc97b52a8478161e7057d0
Instruction ID: b2c3b9482756ec7381cbd1213057c9cff8c5c0a63e0c9a90d23de417065f6896
Opcode Fuzzy Hash: 7124936fba6156f1ffec1790a00116bcea5e754886dc97b52a8478161e7057d0
Instruction Fuzzy Hash: 7E418365C1011876CB11EBB4CC8A9CFB7A9AF45710F548467FA14E3222FB38E255C7E6

Function 00FCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 00FCF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0100F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0100F454

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c215e7a7c8265a730b5b29c30d29219e59a735144fd6cc9231184fe490b46c49
Instruction ID: fedf05df4ca5fb9bf36e11a06356e46dbf387706d8f88263680bf3f5991a1acc
Opcode Fuzzy Hash: c215e7a7c8265a730b5b29c30d29219e59a735144fd6cc9231184fe490b46c49
Instruction Fuzzy Hash: 30412E31918642BBEF798B2C8F89F69FF936B46320F04842DE5C756990C637A488E711

Function 01042D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01042D1B
GetDC.USER32(00000000), ref: 01042D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01042D2E
ReleaseDC.USER32(00000000,00000000), ref: 01042D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01042D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01042D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01045A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01042DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01042DE1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 11856e55cd5794d1c4d9a6cbcd148220496f58d50b257cd097ab4ca94383dc52
Instruction ID: b5e4bcc115bf929516129021f056c3b710f019ffa7ccbaeb7275de1b9358c96d
Opcode Fuzzy Hash: 11856e55cd5794d1c4d9a6cbcd148220496f58d50b257cd097ab4ca94383dc52
Instruction Fuzzy Hash: 0B31A2B62026147FFB214F54DD89FEB3FADEF09711F044065FE889A191C6759840C7A0

Function 01015622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01015637
_memcmp.LIBVCRUNTIME ref: 01015659
_memcmp.LIBVCRUNTIME ref: 01015671
_memcmp.LIBVCRUNTIME ref: 01015684
_memcmp.LIBVCRUNTIME ref: 0101569E
_memcmp.LIBVCRUNTIME ref: 010156B1
_memcmp.LIBVCRUNTIME ref: 010156C9
_memcmp.LIBVCRUNTIME ref: 010156E4

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b6cb62ee0745b40035f88b2060a8d4b56a6adc6619584d1c6c5bad3576f9edf0
Instruction ID: 7e35713f8b23e8d8f33cf938b2dc210dd3a0cedd4f43bb26f09d7cac159206ad
Opcode Fuzzy Hash: b6cb62ee0745b40035f88b2060a8d4b56a6adc6619584d1c6c5bad3576f9edf0
Instruction Fuzzy Hash: E921C9A174020ABBE21465296EC2FFE339DBF97284F080425FD849F646F76CED1085E5

Function 01034FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0103502E, 01035383
Not an Object type, xrefs: 01035007

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c160154364c996de9a4025683152bae386a837bfb84a5ae1e91e805d76c865d3
Instruction ID: 092b4769224ef4be8dccec49b0e2acec2e3a9016cf203a267795e5f110aa7129
Opcode Fuzzy Hash: c160154364c996de9a4025683152bae386a837bfb84a5ae1e91e805d76c865d3
Instruction Fuzzy Hash: D3D18375A0020A9FDF10CF98CC84BAEB7F9BF88314F148469F995AB291E771D945CB90

Function 00FF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00FF15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FF1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FF16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FF16FB

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FF1777
__freea.LIBCMT ref: 00FF17A2
__freea.LIBCMT ref: 00FF17AE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a1f016196e4515349f120fdc18f92b2ddded09100835251eeac01770553e4286
Instruction ID: 7c0f7986c114d0d166cd3bb4d208194c55ca1c80e7e0ff6e021d7e32f54be750
Opcode Fuzzy Hash: a1f016196e4515349f120fdc18f92b2ddded09100835251eeac01770553e4286
Instruction Fuzzy Hash: 6F91B172E0021EDADB209E75CD81AFE7BB5BF49320F1C0659EA05E7160DB25DD44EBA0

Function 01034523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01034648
VariantInit.OLEAUT32(?), ref: 01034749
VariantClear.OLEAUT32(?), ref: 01034753
VariantClear.OLEAUT32(?), ref: 010347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0103472C
Null Object assignment in FOR..IN loop, xrefs: 010345D8, 01034706, 010347BE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0769d7fecf1c7b6a97f650e596c8d66ba1db5645b01ed1d81e79b6fafd25be6b
Instruction ID: 5a238775f61989ea5ccb6a98784eda8e48c0122c0aec045c85f26808fe50a202
Opcode Fuzzy Hash: 0769d7fecf1c7b6a97f650e596c8d66ba1db5645b01ed1d81e79b6fafd25be6b
Instruction Fuzzy Hash: 52916B71A00219ABDF25CFA9C888FAEBBB8FF85710F108559F545EF281D7709945CBA0

Function 01021187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0102125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01021284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0102135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01021430

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 90326e405c973f6055abcb48b6d94685ce345dee3f76c81ce6b25ea95ebc6cf4
Instruction ID: e8d5e5bd11d7040642a18cf0201162fff677dc2870bcf695898292b8a687705e
Opcode Fuzzy Hash: 90326e405c973f6055abcb48b6d94685ce345dee3f76c81ce6b25ea95ebc6cf4
Instruction Fuzzy Hash: 7C9107B5900229AFEB10DF98C884BFEB7B5FF45314F104069FA80E7291DB79A945CB90

Function 00FC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9969972717cb98195d0667bd97abb715e5bab3be6ecc1342408cc292c45ac4b3
Instruction ID: ee54861d7cf8b877c586b4bbddd3d9442919de9988b375ea6e7bb010dc2d50ae
Opcode Fuzzy Hash: 9969972717cb98195d0667bd97abb715e5bab3be6ecc1342408cc292c45ac4b3
Instruction Fuzzy Hash: B1915771D0420AAFDB11CFA9CD89EEEBBB8FF49320F148449E551B7291D378A941DB60

Function 01033947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0103396B
CharUpperBuffW.USER32(?,?), ref: 01033A7A
_wcslen.LIBCMT ref: 01033A8A
VariantClear.OLEAUT32(?), ref: 01033C1F

Part of subcall function 01020CDF: VariantInit.OLEAUT32(00000000), ref: 01020D1F
Part of subcall function 01020CDF: VariantCopy.OLEAUT32(?,?), ref: 01020D28
Part of subcall function 01020CDF: VariantClear.OLEAUT32(?), ref: 01020D34

Strings

AUTOIT.ERROR, xrefs: 01033A80, 01033A85
Incorrect Parameter format, xrefs: 010339A6, 01033BA1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bf68a4de4d9befa8e3939f31797d025cbfe38d8bd575616e096b450be77d4d26
Instruction ID: 4a1d3f838b1aab320dfcb891dc8385674e9edf1bb3b1cb27df405433bf3754a5
Opcode Fuzzy Hash: bf68a4de4d9befa8e3939f31797d025cbfe38d8bd575616e096b450be77d4d26
Instruction Fuzzy Hash: D0915974A083059FC714DF29C58196ABBE8FFC9314F04886DF9899B351DB35E905CB92

Function 01034BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0101000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?,?,0101035E), ref: 0101002B
Part of subcall function 0101000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010046
Part of subcall function 0101000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010054
Part of subcall function 0101000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?), ref: 01010064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01034C51
_wcslen.LIBCMT ref: 01034D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01034DCF
CoTaskMemFree.OLE32(?), ref: 01034DDA

Strings

NULL Pointer assignment, xrefs: 01034E23, 01034E52

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3417fd956037cd0b90015fbb3745fe200a76f032c4c4a14390d2441d4c7a91f1
Instruction ID: d5fd66cc1c08143291a63e6161c1aa7adec4632e16457e3093f494720b0cd619
Opcode Fuzzy Hash: 3417fd956037cd0b90015fbb3745fe200a76f032c4c4a14390d2441d4c7a91f1
Instruction Fuzzy Hash: 44911771D0021DAFDF15DFA5CC90AEEBBB9BF48310F10816AE955AB241DB749A44CFA0

Function 010420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01042183
GetMenuItemCount.USER32(00000000), ref: 010421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010421DD
_wcslen.LIBCMT ref: 01042213
GetMenuItemID.USER32(?,?), ref: 0104224D
GetSubMenu.USER32(?,?), ref: 0104225B

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010422E3

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8d519b730f395c9a4811ad61ddcf9abf1b836f20a3b60d2c344b2931f01c5845
Instruction ID: dc5f6c3ad76a1bd948e42fc6426f2391271c78437f73c9bbed628964f8444e65
Opcode Fuzzy Hash: 8d519b730f395c9a4811ad61ddcf9abf1b836f20a3b60d2c344b2931f01c5845
Instruction Fuzzy Hash: 8F7192B5A00205AFCB10DF69D981AAEBBF1EF48310F1484A9F956EB345D734A9418F90

Function 0101AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0101AEF9
GetKeyboardState.USER32(?), ref: 0101AF0E
SetKeyboardState.USER32(?), ref: 0101AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0101AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0101AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0101AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0101B020

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a525477714e44b0d051c2ef0174336db3c7e83cc401f609a255ead36e329d7ce
Instruction ID: d3e321d5ad8f2c3e79ff8acbb2a54f235b92e532d6a2875c9f8c06dfb0bec25e
Opcode Fuzzy Hash: a525477714e44b0d051c2ef0174336db3c7e83cc401f609a255ead36e329d7ce
Instruction Fuzzy Hash: 6151D1A0A057D57DFB3782788845BBABEE95B06304F0885CDF2D9468C7C39DA8C8D760

Function 0101ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0101AD19
GetKeyboardState.USER32(?), ref: 0101AD2E
SetKeyboardState.USER32(?), ref: 0101AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0101ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0101ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0101AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0101AE38

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 039ac5a131498e9e7a40896ac07014e6a4d2b6f5ab3b8b41f2be0b40ec07ea16
Instruction ID: 99d91cfcc7b44c6ef6283dbc57b2f6aa96953c0d1b194b4c6d40848e2ac7199a
Opcode Fuzzy Hash: 039ac5a131498e9e7a40896ac07014e6a4d2b6f5ab3b8b41f2be0b40ec07ea16
Instruction Fuzzy Hash: C451E6A17067D57EFB3392388C95BBA7EE85B46304F0884C8E1D6474C7C2ACE898D760

Function 00FE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FF3CD6,?,?,?,?,?,?,?,?,00FE5BA3,?,?,00FF3CD6,?,?), ref: 00FE5470
__fassign.LIBCMT ref: 00FE54EB
__fassign.LIBCMT ref: 00FE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FF3CD6,00000005,00000000,00000000), ref: 00FE552C
WriteFile.KERNEL32(?,00FF3CD6,00000000,00FE5BA3,00000000,?,?,?,?,?,?,?,?,?,00FE5BA3,?), ref: 00FE554B
WriteFile.KERNEL32(?,?,00000001,00FE5BA3,00000000,?,?,?,?,?,?,?,?,?,00FE5BA3,?), ref: 00FE5584

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 64d65abc6fc38b212ee8576d5a3b2355a05f11addaac1f101065d479b2f3d714
Instruction ID: 87750800e593e6ea42c5f75c979658d7f83324735488147074fd5150cc1ddbcb
Opcode Fuzzy Hash: 64d65abc6fc38b212ee8576d5a3b2355a05f11addaac1f101065d479b2f3d714
Instruction Fuzzy Hash: 0251F4B1E007899FDB10CFA9D885AEEBBF9EF09714F18401AF955E7291D7309A40CB61

Function 00FD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FD2D53
_ValidateLocalCookies.LIBCMT ref: 00FD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FD2E0C
_ValidateLocalCookies.LIBCMT ref: 00FD2E61

Strings

csm, xrefs: 00FD2DF6

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 811ead290f6ca6e25e7ab806dd53471c821e59ea5a97166d6f1da7c9be1d91d1
Instruction ID: f4f419129e76a745e7193962e0fa2c70289b89ed1623df99a0da5806d9ff5a3e
Opcode Fuzzy Hash: 811ead290f6ca6e25e7ab806dd53471c821e59ea5a97166d6f1da7c9be1d91d1
Instruction Fuzzy Hash: 6D41D235E00209ABCF10DF68CC85A9EBBB7BF54324F188156F9146B352D7369A01EBD1

Function 010310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103304E: inet_addr.WSOCK32(?), ref: 0103307A
Part of subcall function 0103304E: _wcslen.LIBCMT ref: 0103309B

socket.WSOCK32(00000002,00000001,00000006), ref: 01031112
WSAGetLastError.WSOCK32 ref: 01031121
WSAGetLastError.WSOCK32 ref: 010311C9
closesocket.WSOCK32(00000000), ref: 010311F9

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 7cde7b6ac8633170911b9ccbe3567097361c889f1e9b0f01fcc607236720d319
Instruction ID: 852b0721eb4c9df7a78454de07223be2b961de69cd1adda68514094cdcb42d6a
Opcode Fuzzy Hash: 7cde7b6ac8633170911b9ccbe3567097361c889f1e9b0f01fcc607236720d319
Instruction Fuzzy Hash: 4B41D9756001049FE7109F14C984BEAB7EDFF85364F048099FC959B285C775AD41CBE1

Function 0101CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0101CF22,?), ref: 0101DDFD

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0101CF22,?), ref: 0101DE16

lstrcmpiW.KERNEL32(?,?), ref: 0101CF45
MoveFileW.KERNEL32(?,?), ref: 0101CF7F
_wcslen.LIBCMT ref: 0101D005
_wcslen.LIBCMT ref: 0101D01B
SHFileOperationW.SHELL32(?), ref: 0101D061

Strings

\*.*, xrefs: 0101CFF3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: eb6efa8210daa6223b92e182b865afc7adcdae302984862ffc167375960af6b6
Instruction ID: bf90a73e4dddbc2d07c81562cd00f78fea401f18f8ce394ea67085a2c44229d3
Opcode Fuzzy Hash: eb6efa8210daa6223b92e182b865afc7adcdae302984862ffc167375960af6b6
Instruction Fuzzy Hash: 754158719451195FEF52EFA4CE81ADD77F8AF08380F0400EAD549EB145EB39E644CB50

Function 01042DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01042E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 01042E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 01042E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01042EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01042EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 01042EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01042F0B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 45676e78c04450f6f6a4d4217427411d6f5b28d6a897a14f045754ae194806ae
Instruction ID: 320ea6dc2e74fc20058ff8168729c98e1f3c40bd74e4faf057fe88361234f151
Opcode Fuzzy Hash: 45676e78c04450f6f6a4d4217427411d6f5b28d6a897a14f045754ae194806ae
Instruction Fuzzy Hash: D33114B4705140AFEB31CF59EDC4F6937E0EB4A710F1501A4FAD48B2A6CB76A841DB40

Function 01017726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101778F
SysAllocString.OLEAUT32(00000000), ref: 01017792
SysAllocString.OLEAUT32(?), ref: 010177B0
SysFreeString.OLEAUT32(?), ref: 010177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010177DE
SysAllocString.OLEAUT32(?), ref: 010177EC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 263a9c984b3b14688baa926bf1a4fd050a2fdd96b8821ed74c820d9ac46cc6c4
Instruction ID: 7c74563e06a2289fe3c83db1da9f979c8a893b40b7086a8608178a55c058d577
Opcode Fuzzy Hash: 263a9c984b3b14688baa926bf1a4fd050a2fdd96b8821ed74c820d9ac46cc6c4
Instruction Fuzzy Hash: 6B21F47A600209AFEF10EEACCE88DBB77ECFB09360B008065FA55CB155DA78DC418760

Function 010177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01017868
SysAllocString.OLEAUT32(00000000), ref: 0101786B
SysAllocString.OLEAUT32 ref: 0101788C
SysFreeString.OLEAUT32 ref: 01017895
StringFromGUID2.OLE32(?,?,00000028), ref: 010178AF
SysAllocString.OLEAUT32(?), ref: 010178BD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d75f7c36c21147aefcf10f269199941ad7cc0f2473926bd00514859cf9605d4f
Instruction ID: e45170af0632a4299dbba1e6259ebc1a1ee6f489e6c41fe15c492e331c763ed7
Opcode Fuzzy Hash: d75f7c36c21147aefcf10f269199941ad7cc0f2473926bd00514859cf9605d4f
Instruction Fuzzy Hash: 4B21D375600204AFEB10AFBCCD88DBA77ECEB093607108025F955CB2A9DA78DC41CB74

Function 010205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01020601

Strings

nul, xrefs: 01020639

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9e51155dcfdc4b220d6c0ef6a704bee9f058238131a24a50367285645aa7ac36
Instruction ID: f278eca44fc3b19ac8a3e391566578a5deb120ff713a81c6d59821a442cc63ab
Opcode Fuzzy Hash: 9e51155dcfdc4b220d6c0ef6a704bee9f058238131a24a50367285645aa7ac36
Instruction Fuzzy Hash: 2921B7755003259FEB309F6DC948A9AB7E8BF89724F300A59F9E1D72E8D7B19540CB10

Function 010204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0102052E

Strings

nul, xrefs: 01020567

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 97e235d0a4ead5be97bac1447cfa1fd0c149858191ddce85ec865082bd051e48
Instruction ID: 498becabaaf189deb0e0af3163bc2a1cf922b1dad7de975c61cfcae5dfeefa8d
Opcode Fuzzy Hash: 97e235d0a4ead5be97bac1447cfa1fd0c149858191ddce85ec865082bd051e48
Instruction Fuzzy Hash: 3E21BFB4600329EFEB208F29D944A9BBBF4AF44720F204A58F9E1D72E8D7709540CB60

Function 010440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
Part of subcall function 00FB600E: GetStockObject.GDI32(00000011), ref: 00FB6060
Part of subcall function 00FB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01044112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0104411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0104412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01044139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01044145

Strings

Msctls_Progress32, xrefs: 010440E3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8831fe2b7316dd7f6e6645f9fe543fd11f41fa11ffacec137addd7eef1b31406
Instruction ID: a145b7533c54ec7d5d7c9247f6e6ecfc236db080dc8adfe2ac8a27c918c4920b
Opcode Fuzzy Hash: 8831fe2b7316dd7f6e6645f9fe543fd11f41fa11ffacec137addd7eef1b31406
Instruction Fuzzy Hash: 5711B2B215021DBFFF219E65CC85EEB7F9DEF08798F018121BA58E6050C6769C21DBA4

Function 00FED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FED7A3: _free.LIBCMT ref: 00FED7CC

_free.LIBCMT ref: 00FED82D

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FED838
_free.LIBCMT ref: 00FED843
_free.LIBCMT ref: 00FED897
_free.LIBCMT ref: 00FED8A2
_free.LIBCMT ref: 00FED8AD
_free.LIBCMT ref: 00FED8B8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d6632e52926183d9b920c9900ebd21d0d8d55cbfbc91fd1fa1c4db14a1be4434
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 01115171540B88AAD521BFB2CC47FCB7BEC6F00700F400825B699A6893DA6DB5057651

Function 0101DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0101DA74
LoadStringW.USER32(00000000), ref: 0101DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0101DA91
LoadStringW.USER32(00000000), ref: 0101DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0101DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0101DAB9

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4bad4bec1c95d3a89e666bc70d73ac6664d8b031c5721e537a106e6ee21eab7b
Instruction ID: e70fb2cef8cdf819356c3bb68330ce9cd91c5bd45bc73d132d7bb0cf352de3a4
Opcode Fuzzy Hash: 4bad4bec1c95d3a89e666bc70d73ac6664d8b031c5721e537a106e6ee21eab7b
Instruction Fuzzy Hash: 630162F69002087FF710DBE49FC9EEB376CE708205F404495B786E2045EA79AE844B74

Function 0102096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01621628,01621628), ref: 0102097B
EnterCriticalSection.KERNEL32(01621608,00000000), ref: 0102098D
TerminateThread.KERNEL32(454D414E,000001F6), ref: 0102099B
WaitForSingleObject.KERNEL32(454D414E,000003E8), ref: 010209A9
CloseHandle.KERNEL32(454D414E), ref: 010209B8
InterlockedExchange.KERNEL32(01621628,000001F6), ref: 010209C8
LeaveCriticalSection.KERNEL32(01621608), ref: 010209CF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e63dd1efb1bcb47dff1a29c9cb463de81d1616b16e0ee74dbef4131b781ff3c7
Instruction ID: 19ecaa60ef02c6d75ebc86adce9c0f4603a59a151cdb87e7ffbb69a08a81a50f
Opcode Fuzzy Hash: e63dd1efb1bcb47dff1a29c9cb463de81d1616b16e0ee74dbef4131b781ff3c7
Instruction Fuzzy Hash: 76F01D71543A12BBF7615B94EFC8AD67A25BF05702F401015F24250898C7BA9465CF90

Function 00FB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FB5D30
GetWindowRect.USER32(?,?), ref: 00FB5D71
ScreenToClient.USER32(?,?), ref: 00FB5D99
GetClientRect.USER32(?,?), ref: 00FB5ED7
GetWindowRect.USER32(?,?), ref: 00FB5EF8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 185a1cbc7dafef6ca8e5a8c2efa35cfcc9d540cf5102014076cced287fb993f3
Instruction ID: a61f4db8e5ef0611802e10de6ee7052a5aa9b33c8682dea4ab61b376a9a1a522
Opcode Fuzzy Hash: 185a1cbc7dafef6ca8e5a8c2efa35cfcc9d540cf5102014076cced287fb993f3
Instruction Fuzzy Hash: 93B17839A0064ADBDB10CFA9C5807FAB7F1FF48310F14851AE8A9D7250DB38EA41EB54

Function 00FE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE00D6
__allrem.LIBCMT ref: 00FE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE010B
__allrem.LIBCMT ref: 00FE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE0140

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 026ca594da2dcfc5d8aeb74fabaff42bb8d9d98c81d00ff72e2fe4ccdfb0df03
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 8481F872A007469BE7209F6ACC41B6B73E9AF41334F28463AF551DB3C1EBB8D944A750

Function 01031D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01033149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 01033195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 01031DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01031DE1
WSAGetLastError.WSOCK32 ref: 01031DF2
inet_ntoa.WSOCK32(?), ref: 01031E8C
htons.WSOCK32(?), ref: 01031EDB
_strlen.LIBCMT ref: 01031F35

Part of subcall function 010139E8: _strlen.LIBCMT ref: 010139F2

Part of subcall function 00FB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00FCCF58,?,?,?), ref: 00FB6DBA
Part of subcall function 00FB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00FCCF58,?,?,?), ref: 00FB6DED

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: d1ddcabececa05292004cb0e92e41bf96718004cc96fd5ddeb3253ca97363693
Instruction ID: 34d9d33825c85bf282a13c0a3d778b44c513832606a666ebd6a19247ea10bb58
Opcode Fuzzy Hash: d1ddcabececa05292004cb0e92e41bf96718004cc96fd5ddeb3253ca97363693
Instruction Fuzzy Hash: 5CA1E130104301AFD324EF25C885F6A7BE9AFD8318F54898CF5965B2A2CB75ED46CB91

Function 00FE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FD82D9,00FD82D9,?,?,?,00FE644F,00000001,00000001,8BE85006), ref: 00FE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FE644F,00000001,00000001,8BE85006,?,?,?), ref: 00FE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FE63D8
__freea.LIBCMT ref: 00FE63E5

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

__freea.LIBCMT ref: 00FE63EE
__freea.LIBCMT ref: 00FE6413

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d9aa46f1f7de38cbbe3f3915fe69d7ed673338f651c1c0efb217984722441edb
Instruction ID: faf0c06a8c78864d18544db5e14937253d1f64a9ca001dba26d767ceb54ff67a
Opcode Fuzzy Hash: d9aa46f1f7de38cbbe3f3915fe69d7ed673338f651c1c0efb217984722441edb
Instruction Fuzzy Hash: 6F51F572A0029AAFEF258F66CC81EAF77A9EF547A0F144229FD05D7240DB34DC40E660

Function 0103BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103BD25
RegCloseKey.ADVAPI32(00000000), ref: 0103BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0103BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0103BDF3
RegCloseKey.ADVAPI32(?), ref: 0103BDFF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5c4835e7b218c52b105863d0a83890281823a585ab0d7d2027d3ad19b26587ab
Instruction ID: 2b0e30936de854faa575d7bb7fff38d4bae99d157c43865404b696fa122200e1
Opcode Fuzzy Hash: 5c4835e7b218c52b105863d0a83890281823a585ab0d7d2027d3ad19b26587ab
Instruction Fuzzy Hash: 7081B570208241AFD714EF24C885E6ABBE9FF84308F14459DF5954B292DB35ED45CF92

Function 0100F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0100F7B9
SysAllocString.OLEAUT32(00000001), ref: 0100F860
VariantCopy.OLEAUT32(0100FA64,00000000), ref: 0100F889
VariantClear.OLEAUT32(0100FA64), ref: 0100F8AD
VariantCopy.OLEAUT32(0100FA64,00000000), ref: 0100F8B1
VariantClear.OLEAUT32(?), ref: 0100F8BB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3e3a2fc2ff03a71502b53bd32490438c038fa5dc8d6cf3b1b5898274b67ea3cc
Instruction ID: b8c252ba667cdc0c42d92e7b5ab9960f8fb49a9428a87acb589689e1a1c1ca6e
Opcode Fuzzy Hash: 3e3a2fc2ff03a71502b53bd32490438c038fa5dc8d6cf3b1b5898274b67ea3cc
Instruction Fuzzy Hash: AC512435600312BBEF36AB65D885B6DB3E8EF45310F14845AE942DF2C5DB748840EBA7

Function 0102910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010294E5
_wcslen.LIBCMT ref: 01029506
_wcslen.LIBCMT ref: 0102952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01029585

Strings

X, xrefs: 01029412

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4a29d666a85445d05d92ab3a7c32e56ec6bb4b77ac11663a9d03e230df329e65
Instruction ID: 000f5e559b08a338f50056a20ec1322aa5f8ddca5425870be2d4c7fa18a83911
Opcode Fuzzy Hash: 4a29d666a85445d05d92ab3a7c32e56ec6bb4b77ac11663a9d03e230df329e65
Instruction Fuzzy Hash: 61E1B4716083218FD724DF25C881AAEB7E4BF85314F18856DF9899B2A2DB35DD04CF92

Function 00FC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

BeginPaint.USER32(?,?,?), ref: 00FC9241
GetWindowRect.USER32(?,?), ref: 00FC92A5
ScreenToClient.USER32(?,?), ref: 00FC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010071EA

Part of subcall function 00FC9339: BeginPath.GDI32(00000000), ref: 00FC9357

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c46302045d1f4bb49cedd9a1fd13179838241d3ca5e478fa87909b980a1ba58e
Instruction ID: 7da136d0e22551f5e3423e744b74df9cbf48989d59b267dbd0ace3197f03934e
Opcode Fuzzy Hash: c46302045d1f4bb49cedd9a1fd13179838241d3ca5e478fa87909b980a1ba58e
Instruction Fuzzy Hash: D541A271109201AFE721DF18C989FAA7BA9FF45320F04066DF9D4871E1C77AA845EB61

Function 010207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0102080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01020847
EnterCriticalSection.KERNEL32(?), ref: 01020863
LeaveCriticalSection.KERNEL32(?), ref: 010208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01020921

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c66892b3943ee1f9165f2254ad6284250af01b7be5e1e0f48cc6f831426c8079
Instruction ID: c7f5e20f13c9c2346443fbf6fe2dfcf9a7c220c7ff622466f78f5baaff8db022
Opcode Fuzzy Hash: c66892b3943ee1f9165f2254ad6284250af01b7be5e1e0f48cc6f831426c8079
Instruction Fuzzy Hash: 8C41CE71A00205EFEF14AF54DD81A6AB7B9FF04300F0480A9FD00AA29BDB75DE14DBA0

Function 010481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0100F3AB,00000000,?,?,00000000,?,0100682C,00000004,00000000,00000000), ref: 0104824C
EnableWindow.USER32(00000000,00000000), ref: 01048272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010482D1
ShowWindow.USER32(00000000,00000004), ref: 010482E5
EnableWindow.USER32(00000000,00000001), ref: 0104830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0104832F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fe1be939eb93577da544e9f1b8965cf32d664d639295ba260cd51e7d17e446ca
Instruction ID: 0665acbd40f1318a130acc5fa02f0a40509473ca6d30bf1dba349c34ac2a6c96
Opcode Fuzzy Hash: fe1be939eb93577da544e9f1b8965cf32d664d639295ba260cd51e7d17e446ca
Instruction Fuzzy Hash: 6141B7B4601644AFEB61CF58C6C9BE87BE0BF09715F1885F6E6D84B263C3366441CB50

Function 010322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010322E8

Part of subcall function 0102E4EC: GetWindowRect.USER32(?,?), ref: 0102E504

GetDesktopWindow.USER32 ref: 01032312
GetWindowRect.USER32(00000000), ref: 01032319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01032355
GetCursorPos.USER32(?), ref: 01032381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010323DF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b71f016fe205c505e3097a6ccf34b29de3fdb796ff9b0888a15d1410bcc73d40
Instruction ID: f296174905ce5a3d0fb34751efb2433791996f312031a76fde2f0c393be9c36a
Opcode Fuzzy Hash: b71f016fe205c505e3097a6ccf34b29de3fdb796ff9b0888a15d1410bcc73d40
Instruction Fuzzy Hash: C531CFB2505305ABD721DF18C944A9BBBEDFFC8310F004A19F9C597181DB35EA08CB92

Function 01014C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01014C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01014CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01014CEA
_wcslen.LIBCMT ref: 01014D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01014D10
_wcsstr.LIBVCRUNTIME ref: 01014D1A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 114dead5f1c187905f98fd3bcbbda5b9d2fc306040461545329cf217017bf62b
Instruction ID: 087dcd25107fb5444c78694dd6fb639438f68a6eacc45400183a5c746f6858c1
Opcode Fuzzy Hash: 114dead5f1c187905f98fd3bcbbda5b9d2fc306040461545329cf217017bf62b
Instruction Fuzzy Hash: C52149712042047BFB656B39AD49E7F7BDDDF49710F00806DF845CA1A6EB79D80093A0

Function 0102581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB3A97,?,?,00FB2E7F,?,?,?,00000000), ref: 00FB3AC2

_wcslen.LIBCMT ref: 0102587B
CoInitialize.OLE32(00000000), ref: 01025995
CoCreateInstance.OLE32(0104FCF8,00000000,00000001,0104FB68,?), ref: 010259AE
CoUninitialize.OLE32 ref: 010259CC

Strings

.lnk, xrefs: 01025876, 010258C1, 01025985

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2368df89892a96c5b9102042b0c959a1b6e0cdcc282edcb6d6d944dc72572f39
Instruction ID: 93dd557dcb1f742013bcc0586aec151e040127b638a65a39983c50f9c78d6406
Opcode Fuzzy Hash: 2368df89892a96c5b9102042b0c959a1b6e0cdcc282edcb6d6d944dc72572f39
Instruction Fuzzy Hash: 71D155746043119FC714DF19C884AAABBE5EF89710F14889DF8899B361DB35EC45CF92

Function 0101175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01010FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01010FCA
Part of subcall function 01010FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01010FD6
Part of subcall function 01010FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01010FE5
Part of subcall function 01010FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01010FEC
Part of subcall function 01010FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01011002

GetLengthSid.ADVAPI32(?,00000000,01011335), ref: 010117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010117BA
HeapAlloc.KERNEL32(00000000), ref: 010117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010117DA
GetProcessHeap.KERNEL32(00000000,00000000,01011335), ref: 010117EE
HeapFree.KERNEL32(00000000), ref: 010117F5

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 505ebd46a3ac81d2c1094df4c501853f254396dcd108fa073fe145c629e4e85b
Instruction ID: aa345e6728056d9b2cd7123a568bffb3733f04037d4a36113f2b01fb5b3be9cb
Opcode Fuzzy Hash: 505ebd46a3ac81d2c1094df4c501853f254396dcd108fa073fe145c629e4e85b
Instruction Fuzzy Hash: A011A275502205FFEB249FA8CE49BAE7BF9FB42255F144098F6C197208C73A9940CB60

Function 010114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010114FF
OpenProcessToken.ADVAPI32(00000000), ref: 01011506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01011515
CloseHandle.KERNEL32(00000004), ref: 01011520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01011563

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b302b1ca2c4cd93e0424710398aa44e919689e7dc156040b65c8f421c08f0c5f
Instruction ID: 1a15e7f80468fcbf8ac8c6c088a18fe20af40e4002ffac4c167d785a33308818
Opcode Fuzzy Hash: b302b1ca2c4cd93e0424710398aa44e919689e7dc156040b65c8f421c08f0c5f
Instruction Fuzzy Hash: 9A112CB6601209EBEF21CFA8DE49BDE7BA9FF08744F044055FB45A2054C37A8E60DB61

Function 00FD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FD3379,00FD2FE5), ref: 00FD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FD33B7
SetLastError.KERNEL32(00000000,?,00FD3379,00FD2FE5), ref: 00FD3409

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8813da73d9da57756babf923bb9d9462ce70132e270f61c26fbbf0fbcc3869ce
Instruction ID: 174d9ddd0234fca27e3897e3b66e442539ba6197ae004aa102e27f9df506b6d5
Opcode Fuzzy Hash: 8813da73d9da57756babf923bb9d9462ce70132e270f61c26fbbf0fbcc3869ce
Instruction Fuzzy Hash: 3801F533A093126FB62526746E89A1A3B56FB06375328022BF610903E0EF1A4E01B2C6

Function 00FE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FE5686,00FF3CD6,?,00000000,?,00FE5B6A,?,?,?,?,?,00FDE6D1,?,01078A48), ref: 00FE2D78
_free.LIBCMT ref: 00FE2DAB
_free.LIBCMT ref: 00FE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FDE6D1,?,01078A48,00000010,00FB4F4A,?,?,00000000,00FF3CD6), ref: 00FE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FDE6D1,?,01078A48,00000010,00FB4F4A,?,?,00000000,00FF3CD6), ref: 00FE2DEC
_abort.LIBCMT ref: 00FE2DF2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8a02f0934c56753df3f7f39f5339ce0780f099e14a0d8274187cce73deb7a089
Instruction ID: e99645a74080a6a6e190fca551bad5559383eea2a6b5515e6bc4e02f0d414449
Opcode Fuzzy Hash: 8a02f0934c56753df3f7f39f5339ce0780f099e14a0d8274187cce73deb7a089
Instruction Fuzzy Hash: 20F0F976D0668027D3B2363B7D0AA1E375DABC27B1F254019FA64D2186FE2D89017221

Function 01048A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96A2
Part of subcall function 00FC9639: BeginPath.GDI32(?), ref: 00FC96B9
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01048A4E
LineTo.GDI32(?,00000003,00000000), ref: 01048A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01048A70
LineTo.GDI32(?,00000000,00000003), ref: 01048A80
EndPath.GDI32(?), ref: 01048A90
StrokePath.GDI32(?), ref: 01048AA0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1aa3b4483d193ee91d6fee2ac4f04574e830a6aeaebdb87cf77618abcfa068ee
Instruction ID: 93e5269070b3d82d80ca6253bc870abfa8e2369dec701576272025ac34674926
Opcode Fuzzy Hash: 1aa3b4483d193ee91d6fee2ac4f04574e830a6aeaebdb87cf77618abcfa068ee
Instruction Fuzzy Hash: 81115EB600010CBFEF119F94DD88E9A7F6CEF05350F008421FA85951A4C7769D55DF60

Function 010151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01015218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01015229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01015230
ReleaseDC.USER32(00000000,00000000), ref: 01015238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0101524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01015261

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: eb059cddce645b2f41e6f468c402cc6ed2b7f9971f10920560e5c7e1c9c4c699
Instruction ID: a80d0096a62c31cd9b7954e5ad9a1070324a025935508507d071b3464639b84b
Opcode Fuzzy Hash: eb059cddce645b2f41e6f468c402cc6ed2b7f9971f10920560e5c7e1c9c4c699
Instruction Fuzzy Hash: A801A7B5E01705BBFB205BE59D49E5EBFB8EF49351F044065FE44AB284D6759800CFA0

Function 00FB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB1C22

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 578b1261ce220304694877e22799dfb5bc0d9da4e328a045ab74b14f51ecd6ff
Instruction ID: 2272fdebf43359370c8072c01ab4d0f2d8cac844c5f3c90b2e53d32a1043b4ec
Opcode Fuzzy Hash: 578b1261ce220304694877e22799dfb5bc0d9da4e328a045ab74b14f51ecd6ff
Instruction Fuzzy Hash: 8D0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0101EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0101EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0101EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0101EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101EB75

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e0921b6fbd3a32bcc35182c02b767494189475d7ef986c16150ec2efb8623217
Instruction ID: 54b3398b20694808fd180e624d6d0e7418ec5152ab3c89de944359b957f90f0d
Opcode Fuzzy Hash: e0921b6fbd3a32bcc35182c02b767494189475d7ef986c16150ec2efb8623217
Instruction Fuzzy Hash: 62F06DB6242158BBE73156529E4DEAF3A7CEBCAB11F004158FA41D108496A92A0187B4

Function 01007439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01007452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01007469
GetWindowDC.USER32(?), ref: 01007475
GetPixel.GDI32(00000000,?,?), ref: 01007484
ReleaseDC.USER32(?,00000000), ref: 01007496
GetSysColor.USER32(00000005), ref: 010074B0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3728a9a852bbfd06ed95014887cec8bff8e83b106d658c1bb48b279561232626
Instruction ID: 70dfdd7d178fadd8733f0b11e621297c3292ae9371b0e0ab26647cff6ad79d9c
Opcode Fuzzy Hash: 3728a9a852bbfd06ed95014887cec8bff8e83b106d658c1bb48b279561232626
Instruction Fuzzy Hash: 4B018B75401205EFEB625F64DE48BAE7BB5FF08311F514064F995A20E1CF3A2E41AB50

Function 01011874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0101187F
UnloadUserProfile.USERENV(?,?), ref: 0101188B
CloseHandle.KERNEL32(?), ref: 01011894
CloseHandle.KERNEL32(?), ref: 0101189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010118A5
HeapFree.KERNEL32(00000000), ref: 010118AC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 456ef1671819b7725fc980671c26c9ad5956c80169b735a8baaa0653172f8164
Instruction ID: 9d7674bb7d9cf0e70429098a6c9af42aaeccb68fef332e75f51d74f9491c8562
Opcode Fuzzy Hash: 456ef1671819b7725fc980671c26c9ad5956c80169b735a8baaa0653172f8164
Instruction Fuzzy Hash: CAE0EDBA105501BBE7215FA1EF4C905BF39FF4A7227108220F26581078CB375420DB50

Function 0101C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0101C6EE
_wcslen.LIBCMT ref: 0101C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0101C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0101C7CA

Strings

0, xrefs: 0101C6AF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 19f54b08c4103ffb047e4b7dd252e082d12aeadd36a70abf39355d6b029ef046
Instruction ID: a31b8985ee6d757295bc0be144158d90798f4a70635af5f38a5773b8632b2c1e
Opcode Fuzzy Hash: 19f54b08c4103ffb047e4b7dd252e082d12aeadd36a70abf39355d6b029ef046
Instruction Fuzzy Hash: 6851E2716843019BF7919E28CA85B6EBBE4BF49310F04096DFAD6D2195DBBCD804CB52

Function 0103AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0103AEA3

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

GetProcessId.KERNEL32(00000000), ref: 0103AF38
CloseHandle.KERNEL32(00000000), ref: 0103AF67

Strings

<, xrefs: 0103AE6B
@, xrefs: 0103AE72

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 65cac07b6a24c0d2dda7b2a020f3b31dcc09a729a69cc4b509fc86aff78635bc
Instruction ID: ced488e218bc70876247ea3c5bf38dc06c70f72b7882175a85531e67d09f8734
Opcode Fuzzy Hash: 65cac07b6a24c0d2dda7b2a020f3b31dcc09a729a69cc4b509fc86aff78635bc
Instruction Fuzzy Hash: D5717A74A00215DFCB14EF55C885A9EBBF4BF48310F048499E896AB392C779ED45CFA0

Function 0101719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01017206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0101723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0101724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010172CF

Strings

DllGetClassObject, xrefs: 01017242

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad81f5ea9dd597a907e9ddf3546187038a7a7bc74279a95bced8f9f648879653
Instruction ID: 9e125bda13854c1605e3fbdd0de7fe3ce8d33b9ab72eec68f781f84a366ac8c7
Opcode Fuzzy Hash: ad81f5ea9dd597a907e9ddf3546187038a7a7bc74279a95bced8f9f648879653
Instruction Fuzzy Hash: 2F416EB1A00204AFDB25CF94C984ADA7FA9EF49310F1480ADFD459F20DD7B9D945CBA0

Function 01043D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01043E35
IsMenu.USER32(?), ref: 01043E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01043E92
DrawMenuBar.USER32 ref: 01043EA5

Strings

0, xrefs: 01043D89

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a66b24b8b7a7bc645fd023374eb602e29921034ec2f861b77274770dd3473859
Instruction ID: 16a2da9fddc7a5351727ffdbf13f3b5a79b1916553ef516e0ee7de22b1ef075b
Opcode Fuzzy Hash: a66b24b8b7a7bc645fd023374eb602e29921034ec2f861b77274770dd3473859
Instruction Fuzzy Hash: 97418AB4A02219AFEB20DF55D8C0AAEBBF5FF48350F044069E9959B280D335A941CF90

Function 01011DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01011E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01011E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01011EA9

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Strings

ListBox, xrefs: 01011E25
ComboBox, xrefs: 01011DF0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a67723246134523097f5765128906e295597af6d434e3f1b5a404d0d34b5c719
Instruction ID: f4022adff907f6690d519f034b3039043164d512d3615f9c91d33a34eef924c1
Opcode Fuzzy Hash: a67723246134523097f5765128906e295597af6d434e3f1b5a404d0d34b5c719
Instruction Fuzzy Hash: 892146B1A00108ABEB18ABB5DD85CFFBBF8EF45350B004019F691971D5DB3C49099A20

Function 0103C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103C9F1
_wcslen.LIBCMT ref: 0103CA68
_wcslen.LIBCMT ref: 0103CA9E
_wcslen.LIBCMT ref: 0103CAF9
_wcslen.LIBCMT ref: 0103CB2F
_wcslen.LIBCMT ref: 0103CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0103CA62, 0103CA67
HKLM, xrefs: 0103CA98, 0103CA9D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: aec8cd0cee933ecde509f05ce2876ef0665e2777ff510d36c30bc53373ecc130
Instruction ID: 608d9d2017a5d7b19515ce0c67050ccd5f93a9b6303f63d51233cd654da3ede0
Opcode Fuzzy Hash: aec8cd0cee933ecde509f05ce2876ef0665e2777ff510d36c30bc53373ecc130
Instruction Fuzzy Hash: D1313973A009614BEB61EF2DDE500BE37D95BD1688F15409BE8C1FB34AEA71CD4293A0

Function 01042F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01042F8D
LoadLibraryW.KERNEL32(?), ref: 01042F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01042FA9
DestroyWindow.USER32(?), ref: 01042FB1

Strings

SysAnimate32, xrefs: 01042F68

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 8bb910d8fda42157a4e7aecf6c59afce0c5dfa11506a949ae4825b9ec170e7e1
Instruction ID: e5f58bf248f8c988e75e84680def7dc48fac58848e103cf87334c515215ebd48
Opcode Fuzzy Hash: 8bb910d8fda42157a4e7aecf6c59afce0c5dfa11506a949ae4825b9ec170e7e1
Instruction Fuzzy Hash: F121DEB1300209ABEB214E68ECC0EBB3BA9EB48364F504278FA90D2091C372EC419760

Function 00FD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FD4D1E,00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002), ref: 00FD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FD4D1E,00FE28E9,?,00FD4CBE,00FE28E9,010788B8,0000000C,00FD4E15,00FE28E9,00000002,00000000), ref: 00FD4DC3

Strings

mscoree.dll, xrefs: 00FD4D86
CorExitProcess, xrefs: 00FD4D98

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fd2d4744d1f2f205fbb063bd891fb5ffd138eff7392096b69adc96dd6a70a3fd
Instruction ID: 44d3905c96a8fc9279102ac3059f8464e27b10b80c6d88ae12a1518c5b9483ad
Opcode Fuzzy Hash: fd2d4744d1f2f205fbb063bd891fb5ffd138eff7392096b69adc96dd6a70a3fd
Instruction Fuzzy Hash: 58F0A474901208BBEB219F90D949BAEBFB6EF04711F040059F845A2254CB355940DB90

Function 0100D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0100D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100D3BF
FreeLibrary.KERNEL32(00000000), ref: 0100D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0100D3B9
X64, xrefs: 0100D2A8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 73ae6075cbdac3a0c9f2c299308600f1c15381370f6473e8facf2dbd82024cca
Instruction ID: e0450fce7df5dea39510a0a89aa6de3335f4a0ccfa8e829dc27f37c822884234
Opcode Fuzzy Hash: 73ae6075cbdac3a0c9f2c299308600f1c15381370f6473e8facf2dbd82024cca
Instruction Fuzzy Hash: 48F0ECF6807511EBF77316D48EA8A5DB754AF21711F44C199F5C1F1089D730C94087B5

Function 00FB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FB4EDD,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4EC0

Strings

kernel32.dll, xrefs: 00FB4E94
Wow64DisableWow64FsRedirection, xrefs: 00FB4EA8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebaffc34eaad8f2c0c9734adf0a5ccaf7ffbabe9e7526935e2aa2b9f90ea895a
Instruction ID: 51bf79ac5a5e4488bd8078d1b13a2dd845d1e316dab4edd1effd0882b044ca12
Opcode Fuzzy Hash: ebaffc34eaad8f2c0c9734adf0a5ccaf7ffbabe9e7526935e2aa2b9f90ea895a
Instruction Fuzzy Hash: F9E0CDB9E035225BF331172B6F58B9F7554AF82F72B050115FC40D6505DB75DC019AE1

Function 00FB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4E74
FreeLibrary.KERNEL32(00000000,?,?,00FF3CDE,?,01081418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FB4E87

Strings

kernel32.dll, xrefs: 00FB4E5B
Wow64RevertWow64FsRedirection, xrefs: 00FB4E6E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 31cf329813335ee0eca06401c18e4f21ee5499bac5bb6de1107349626e6e0754
Instruction ID: 0f59065571f85838a0c17b644b05936c576652ba6fcfde8c7ff69ba1bb04a6fc
Opcode Fuzzy Hash: 31cf329813335ee0eca06401c18e4f21ee5499bac5bb6de1107349626e6e0754
Instruction Fuzzy Hash: 6AD0C2B9D03A215767321B266B18ECB2B18AF82B213050124B840A6118CF26DD01EAE0

Function 01022947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022C05
DeleteFileW.KERNEL32(?), ref: 01022C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01022C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01022CC0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 96e2899d4f5cb23a493b7e5f82a99ff56d7fd336e80ab415a0ddd2456bc4d266
Instruction ID: 4454a42e06dea6b9514a4008952dd099d8cebb6c2ede8040e1e97a1d5ac0ed35
Opcode Fuzzy Hash: 96e2899d4f5cb23a493b7e5f82a99ff56d7fd336e80ab415a0ddd2456bc4d266
Instruction Fuzzy Hash: EAB15D72900129ABDF21EBE4CD85EDEBBBDEF48350F1040A6F649A7141EA359A448F61

Function 0103A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0103A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0103A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0103A468
CloseHandle.KERNEL32(?), ref: 0103A63D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 158ae974d5f6037cda8bee9b91d046734df826a434c51a4d69bd76ef600d9cc2
Instruction ID: b4d231edb12c41bf356f03f0b7ec0de7484956592c0ef9bc2e12fb439479d026
Opcode Fuzzy Hash: 158ae974d5f6037cda8bee9b91d046734df826a434c51a4d69bd76ef600d9cc2
Instruction Fuzzy Hash: 9CA1B071604301AFE720DF29C986F2AB7E5AF88714F14885CF59ADB2D2DB74EC418B91

Function 0101E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0101CF22,?), ref: 0101DDFD

Part of subcall function 0101DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0101CF22,?), ref: 0101DE16

Part of subcall function 0101E199: GetFileAttributesW.KERNEL32(?,0101CF95), ref: 0101E19A

lstrcmpiW.KERNEL32(?,?), ref: 0101E473
MoveFileW.KERNEL32(?,?), ref: 0101E4AC
_wcslen.LIBCMT ref: 0101E5EB
_wcslen.LIBCMT ref: 0101E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0101E650

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e0da860de1f890b3381484806e6ca77cf18cdc0356488c44ca397ec46b4285ab
Instruction ID: 5f4361283c815b5b9d05ca07dfe232bd8fdc6c537d032ff015d0ea5050511f8d
Opcode Fuzzy Hash: e0da860de1f890b3381484806e6ca77cf18cdc0356488c44ca397ec46b4285ab
Instruction Fuzzy Hash: D65180B24083459BD765EBA4DC809DF77ECAF84340F00491EEAC9D3145EE78E2888B66

Function 0103B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 0103C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103B6AE,?,?), ref: 0103C9B5
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103C9F1
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA68
Part of subcall function 0103C998: _wcslen.LIBCMT ref: 0103CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0103BB63
RegCloseKey.ADVAPI32(?,?), ref: 0103BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0103BBB3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f8548e69a747345c3ba6abae73aaef9984be5638406fd0f907c4fddce256480f
Instruction ID: 9737f4aa2693c3230dcca1c2647a0d0e00168365656be521d3a32cfc0f401709
Opcode Fuzzy Hash: f8548e69a747345c3ba6abae73aaef9984be5638406fd0f907c4fddce256480f
Instruction Fuzzy Hash: 7961B171208201AFD324DF14C890E6ABBE9FF84308F54859DF5998B292CB75ED45CB92

Function 01018BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01018BCD
VariantClear.OLEAUT32 ref: 01018C3E
VariantClear.OLEAUT32 ref: 01018C9D
VariantClear.OLEAUT32(?), ref: 01018D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01018D3B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8c8ad6e68ca53de36dc1a108329d98edd1d5c1f5157f5c7cd1a46d13dae8977c
Instruction ID: 83822d41ba9070006524ba6143e1c7f7a4bbfdd74684e93a158bb5848bea2275
Opcode Fuzzy Hash: 8c8ad6e68ca53de36dc1a108329d98edd1d5c1f5157f5c7cd1a46d13dae8977c
Instruction Fuzzy Hash: 32515AB5A00219EFDB10DF68C884AAABBF4FF89310F05855AF945DB314E734EA11CB90

Function 01028AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01028BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01028BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01028C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01028C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01028C5F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6fd948831dbccee354a51146d693146f0817a589c2312a766e2046ed055ad119
Instruction ID: 2e3660945fa76a481438edf7ffe869f6c9c1a40f017e24800eaab7697e8f92e2
Opcode Fuzzy Hash: 6fd948831dbccee354a51146d693146f0817a589c2312a766e2046ed055ad119
Instruction Fuzzy Hash: EF514B79A002199FDB11DF65C981AA9BBF5FF48314F088099E849AB362CB35ED41DF90

Function 01038EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01038F40
GetProcAddress.KERNEL32(00000000,?), ref: 01038FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01038FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01039032
FreeLibrary.KERNEL32(00000000), ref: 01039052

Part of subcall function 00FCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01021043,?,753CE610), ref: 00FCF6E6
Part of subcall function 00FCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0100FA64,00000000,00000000,?,?,01021043,?,753CE610,?,0100FA64), ref: 00FCF70D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 6d19b787f82324122c33fbf11d36e4c8e6105112daa4689b62c93a436dc2bdd7
Instruction ID: 3c772d0a1450ff8e27f9cbab838c6af8f36ab722ea68fd761b5871131c0a685a
Opcode Fuzzy Hash: 6d19b787f82324122c33fbf11d36e4c8e6105112daa4689b62c93a436dc2bdd7
Instruction Fuzzy Hash: A45136386052059FCB11DF68C4848ADBBF5FF89314B0881A9F94A9B362D775ED85CF90

Function 01046B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01046C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01046C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01046C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0102AB79,00000000,00000000), ref: 01046C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01046CC7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: fcb8ae65498d679613af6b2a9010fef793a5897c1f23b4c2f16ef4e9f6fb9453
Instruction ID: cca5d27055173f08f7d4d5eacbb1b41431408c04abd391dc579bf53c94a2ccb6
Opcode Fuzzy Hash: fcb8ae65498d679613af6b2a9010fef793a5897c1f23b4c2f16ef4e9f6fb9453
Instruction Fuzzy Hash: 6B41A3B5A04108AFE724CE68C9D4BB97FA5EB0A350F0402B4E995A7291E372AD41CA84

Function 00FE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE20C3
_free.LIBCMT ref: 00FE20E3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 283de9b11c5b2c695ca1fa9cd06f0e88684e7f8d93bcfd33a1c8331056415b46
Instruction ID: 1053e40fd09e2468c5e9aa521a116324e353b1e2989350a0398d8b6914507e52
Opcode Fuzzy Hash: 283de9b11c5b2c695ca1fa9cd06f0e88684e7f8d93bcfd33a1c8331056415b46
Instruction Fuzzy Hash: EB410632E002049FDB24DF79C981A5DB3F9EF89320F154569E615EB392E735AE01EB80

Function 00FC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC9141
ScreenToClient.USER32(00000000,?), ref: 00FC915E
GetAsyncKeyState.USER32(00000001), ref: 00FC9183
GetAsyncKeyState.USER32(00000002), ref: 00FC919D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06fe3ddcdc5a26927dfbdab399915ef4b83bd238b9764d401b617be8afb2891a
Instruction ID: c467531c8030bf65e00d505edbdaacbdaf608fd1a81f431669eeebf0efe6b137
Opcode Fuzzy Hash: 06fe3ddcdc5a26927dfbdab399915ef4b83bd238b9764d401b617be8afb2891a
Instruction Fuzzy Hash: 9141F571A0810BFBEF169F68C949BEEB7B1FF05320F104229E4A5A32D0C7746950CB91

Function 01023874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01023922
TranslateMessage.USER32(?), ref: 0102394B
DispatchMessageW.USER32(?), ref: 01023955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01023966

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0c2f25f26221b5239f9794758379a2098dc311e1259af87f9b6bc2b6d2872810
Instruction ID: da1d66438be5ddba7e7a2e8b369c84ed6db954418d13105c78219a240c023d45
Opcode Fuzzy Hash: 0c2f25f26221b5239f9794758379a2098dc311e1259af87f9b6bc2b6d2872810
Instruction Fuzzy Hash: AD31A870608352EFFB75CB389549BBA3BE8BB0E304F044599D5D28A185D77E9085CB11

Function 01011901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01011915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010119E2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 478831280b7458bbc6627850c36e28e15751e21e3a78a796f04f2b85170ff7b3
Instruction ID: 40943751dba4e39aaa225a6e5c11af7b2ad9f48870a8284692758228738f6e81
Opcode Fuzzy Hash: 478831280b7458bbc6627850c36e28e15751e21e3a78a796f04f2b85170ff7b3
Instruction Fuzzy Hash: FE31D6B5900219EFDB14CFBCDA88ADE3BB6EB05315F004265FAB1A72D5C7749944CB90

Function 01045706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01045745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0104579D
_wcslen.LIBCMT ref: 010457AF
_wcslen.LIBCMT ref: 010457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01045816

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: cc7a12f8519fabe231e4e44bcd87be1c5228636f7ba6a8de1b72ead5f1e7cec6
Instruction ID: 9e88f39083118262effc66851a01033b31d14a5d9b25e0983c1e28303b0324fc
Opcode Fuzzy Hash: cc7a12f8519fabe231e4e44bcd87be1c5228636f7ba6a8de1b72ead5f1e7cec6
Instruction Fuzzy Hash: 2321A5F59042189BEB20DF64DCC5AEE7BB8FF45324F008276EA99EA180D7749585CF50

Function 01030930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01030951
GetForegroundWindow.USER32 ref: 01030968
GetDC.USER32(00000000), ref: 010309A4
GetPixel.GDI32(00000000,?,00000003), ref: 010309B0
ReleaseDC.USER32(00000000,00000003), ref: 010309E8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e6289f3c9f01a7ab1b5f4e25fd633c43bd2b67cf915ba4aaafd7d571879c9e8f
Instruction ID: 9cb82b626d749192ca0b4854dc130e9716d407a08e040323c79e25b0c07f7cfd
Opcode Fuzzy Hash: e6289f3c9f01a7ab1b5f4e25fd633c43bd2b67cf915ba4aaafd7d571879c9e8f
Instruction Fuzzy Hash: 2321A179600214AFE714EF65C984AAEBBF9FF48710F048069F88A97355CB75AD04CB50

Function 00FECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FECDE9

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FECE0F
_free.LIBCMT ref: 00FECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FECE31

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 308f23fdc4906bae297b1ccb799b694296f3a4b2d747c9fdef5a7fe1fe952514
Instruction ID: 21de6e8f16a5abd808928883055a3ead8dec81bc37c6a25ac1378e7e44e924f2
Opcode Fuzzy Hash: 308f23fdc4906bae297b1ccb799b694296f3a4b2d747c9fdef5a7fe1fe952514
Instruction Fuzzy Hash: 4601D4B3A022957F333116BB6D8CD7F796DDEC6FA13150129F905D7200EA668E02A2F0

Function 00FC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
SelectObject.GDI32(?,00000000), ref: 00FC96A2
BeginPath.GDI32(?), ref: 00FC96B9
SelectObject.GDI32(?,00000000), ref: 00FC96E2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 06705fd9a312e242498687109d6864996a3b02750efe167ce9909fbc740f04d9
Instruction ID: ab1cb4fcb52671d1f6ab78aeed4d9631981cc546092d1df45ade9bc254bc9276
Opcode Fuzzy Hash: 06705fd9a312e242498687109d6864996a3b02750efe167ce9909fbc740f04d9
Instruction Fuzzy Hash: 4C21C87181A306EFEB218F54DA49BAD3BA4BF11325F104259F4D0A21D4D3BA5842EF90

Function 01015711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01015726
_memcmp.LIBVCRUNTIME ref: 01015744
_memcmp.LIBVCRUNTIME ref: 01015757
_memcmp.LIBVCRUNTIME ref: 0101576F
_memcmp.LIBVCRUNTIME ref: 01015787

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 31e1d3f47b920e14478b1b1280091b21bde65470cf494c26e0368a933880c243
Instruction ID: 448d6f49243765a30458e43e1ace726a7ca37bf6aabd352da39dae62248e572d
Opcode Fuzzy Hash: 31e1d3f47b920e14478b1b1280091b21bde65470cf494c26e0368a933880c243
Instruction Fuzzy Hash: BD01B5E564120ABBE2485519AE83FBB739DBB923A4F044025FD849E206F768ED1096E4

Function 00FE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FDF2DE,00FE3863,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6), ref: 00FE2DFD
_free.LIBCMT ref: 00FE2E32
_free.LIBCMT ref: 00FE2E59
SetLastError.KERNEL32(00000000,00FB1129), ref: 00FE2E66
SetLastError.KERNEL32(00000000,00FB1129), ref: 00FE2E6F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6ff1ea1851743f2391edf07d6d4ad92cb354f4ca777403de0faf81d91c6645c4
Instruction ID: c5791446151eb6b777cc0111172de7e30ebff2364528751ed2b2b2d77e2c9436
Opcode Fuzzy Hash: 6ff1ea1851743f2391edf07d6d4ad92cb354f4ca777403de0faf81d91c6645c4
Instruction Fuzzy Hash: 49017D779066D027D76226376D8AD2F376DABC1371B354028F490A3186FF3D8C007120

Function 0101000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?,?,0101035E), ref: 0101002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?), ref: 01010064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0100FF41,80070057,?,?), ref: 01010070

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ab98307055b3c1e37b0cc5fb9aef048be43f49bb54f51ced3ce4e3f3798b5dc8
Instruction ID: dece58df05c3487851917972a6b0bd671fc611965d8f58cab49534219908aa04
Opcode Fuzzy Hash: ab98307055b3c1e37b0cc5fb9aef048be43f49bb54f51ced3ce4e3f3798b5dc8
Instruction Fuzzy Hash: F50184B6601205BFFB214F68DD44BAA7EEDEB44661F144118F9C5D2208E77ADA808760

Function 0101E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0101E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0101E9A5
Sleep.KERNEL32(00000000), ref: 0101E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0101E9B7
Sleep.KERNEL32 ref: 0101E9F3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: afca01d70249ca72f991e66c4cf54544a69984cbe60a5311f55888fd93b232f7
Instruction ID: 2a9f290ffaf862957a4b7d1b86dc26d1b5361b57c2383d1adefc37ac19497064
Opcode Fuzzy Hash: afca01d70249ca72f991e66c4cf54544a69984cbe60a5311f55888fd93b232f7
Instruction Fuzzy Hash: 01018775C0262DDBDF51ABE4DA88AEDBB79BF09700F000546E982B2248CB3995408BA1

Function 010110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01011114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 0101112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01010B9B,?,?,?), ref: 01011136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101114D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 57aa965f784cfa577d9ef4f5ffb07deab41dbcf2bf4a240ba16c8c789941a1bd
Instruction ID: 333897b95f0d887bcb6831679c31ccce2f351feb8608202d7c9c8918e86551a9
Opcode Fuzzy Hash: 57aa965f784cfa577d9ef4f5ffb07deab41dbcf2bf4a240ba16c8c789941a1bd
Instruction Fuzzy Hash: 000181B9101205BFEB654FA9DE89E6A3FAEFF86264B100454FA81C3354DB36DC008B60

Function 01010FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01010FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01010FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01010FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01010FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01011002

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 07ad69463d69f417952cde7d7b35cf253099c3f2e1d46745bafd59d6122e0f87
Instruction ID: 27bfed43911b5bd3f74573274e421429d554c878795f51d80de5bc58fb20fdfb
Opcode Fuzzy Hash: 07ad69463d69f417952cde7d7b35cf253099c3f2e1d46745bafd59d6122e0f87
Instruction Fuzzy Hash: 8CF0C279202301ABE7220FA8DE8DF563FADEF8A762F100414FA85C7244CA79D8408B60

Function 01011014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0101102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01011036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0101104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011062

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8d5d579ffc416dbfde319c9c88d1fd74278e1046b01a451d644cdd6fdbacfd96
Instruction ID: 0599b31e41b9c09aaa38d150de413419c0f66d92b56fa6db8695b1f576a21d5a
Opcode Fuzzy Hash: 8d5d579ffc416dbfde319c9c88d1fd74278e1046b01a451d644cdd6fdbacfd96
Instruction Fuzzy Hash: D2F0C279202301ABE7221FA9EE88F563FADEF8A661F100414FA85C7244CA79D850CB60

Function 0102030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020324
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020331
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 0102033E
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 0102034B
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020358
CloseHandle.KERNEL32(?,?,?,?,0102017D,?,010232FC,?,00000001,00FF2592,?), ref: 01020365

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 64f8dee81ae23c19a6d5160a6bcc37c6f70c054d3f6b045d0a016da3db98f83c
Instruction ID: 40a4cc1a6049d10d24ad5951ffec8dfcff62583fcbbd422ba3f66ce0ea8ce3e3
Opcode Fuzzy Hash: 64f8dee81ae23c19a6d5160a6bcc37c6f70c054d3f6b045d0a016da3db98f83c
Instruction Fuzzy Hash: AF019072801B259FD7309F6AD880413FBF9BE502153158A7EE29652931C371A954CF80

Function 00FED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FED752

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FED764
_free.LIBCMT ref: 00FED776
_free.LIBCMT ref: 00FED788
_free.LIBCMT ref: 00FED79A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e29d051c6813dccb64224551096c2fba74a0f458b32da4f0ad00f5017d8151
Instruction ID: f0d8279ca24b0af2952dea27763cb8e26bf14f6d34095ef47fed61ee0a63367c
Opcode Fuzzy Hash: d5e29d051c6813dccb64224551096c2fba74a0f458b32da4f0ad00f5017d8151
Instruction Fuzzy Hash: 45F06832D002896B86A5EB5AF9C6C1A77EDBB04330B951809F084E7906D73DFC406761

Function 01015C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01015C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01015C6F
MessageBeep.USER32(00000000), ref: 01015C87
KillTimer.USER32(?,0000040A), ref: 01015CA3
EndDialog.USER32(?,00000001), ref: 01015CBD

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c45e835be2edc8084b2d932e572713b4db6ebbf9efc7ebe4e2b605fa34fd2c90
Instruction ID: 732f77264bd3464e83097232c9096bfdde9213b8dd0a7adbe890caf41f5d3e4e
Opcode Fuzzy Hash: c45e835be2edc8084b2d932e572713b4db6ebbf9efc7ebe4e2b605fa34fd2c90
Instruction Fuzzy Hash: 4901A274501708AFFB305F10DF8EFA67BB8BB45B05F040299A6C2A50D5DBF9A9848B90

Function 00FE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE22BE

Part of subcall function 00FE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000), ref: 00FE29DE
Part of subcall function 00FE29C8: GetLastError.KERNEL32(00000000,?,00FED7D1,00000000,00000000,00000000,00000000,?,00FED7F8,00000000,00000007,00000000,?,00FEDBF5,00000000,00000000), ref: 00FE29F0

_free.LIBCMT ref: 00FE22D0
_free.LIBCMT ref: 00FE22E3
_free.LIBCMT ref: 00FE22F4
_free.LIBCMT ref: 00FE2305

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fbc1f1e344200b0094c6a67e3d0c3aaeb9fe4dabcca6a32c65794dedcaaea052
Instruction ID: a558ab96f0b13fbb97a2cbadfe401c3a66f5fd483dfc59f3eee53406c8b51020
Opcode Fuzzy Hash: fbc1f1e344200b0094c6a67e3d0c3aaeb9fe4dabcca6a32c65794dedcaaea052
Instruction Fuzzy Hash: D5F030B18041558B97B2AF59F80280C3B78BB187707015506F4D0D626FD73E1412BBA6

Function 00FC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FC95D4
StrokeAndFillPath.GDI32(?,?,010071F7,00000000,?,?,?), ref: 00FC95F0
SelectObject.GDI32(?,00000000), ref: 00FC9603
DeleteObject.GDI32 ref: 00FC9616
StrokePath.GDI32(?), ref: 00FC9631

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: dc17992c7443122473d604b016ef1bbaba73f3ce86d360cba076d7db1bd2a205
Instruction ID: be57289b4585dc9a5aa08c7a0f0d184672a38b70cf70c542f58deb5c21d6d752
Opcode Fuzzy Hash: dc17992c7443122473d604b016ef1bbaba73f3ce86d360cba076d7db1bd2a205
Instruction Fuzzy Hash: ACF03C3540E605AFEB365F65EB4DB683B61AB11332F048218F4E5550F8CB7A8992EF20

Function 00FE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FE10F9
__freea.LIBCMT ref: 00FE1117

Part of subcall function 00FE1537: _free.LIBCMT ref: 00FE154F

Strings

am/pm, xrefs: 00FE117A
a/p, xrefs: 00FE11DE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3d75d5e5e11928e224e1d053e2116617f478c4f0840e90207e41e9a87e89bd1a
Instruction ID: c84eeb388d7708f3e9ef833935927d09957751602a5b1e542a24c37c398d0b66
Opcode Fuzzy Hash: 3d75d5e5e11928e224e1d053e2116617f478c4f0840e90207e41e9a87e89bd1a
Instruction Fuzzy Hash: 3FD10572D00286CEDB249F6BC845BFEB7B5FF05320F28015AEA019B654D7799D80EB91

Function 01037B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0242: EnterCriticalSection.KERNEL32(0108070C,01081884,?,?,00FC198B,01082518,?,?,?,00FB12F9,00000000), ref: 00FD024D
Part of subcall function 00FD0242: LeaveCriticalSection.KERNEL32(0108070C,?,00FC198B,01082518,?,?,?,00FB12F9,00000000), ref: 00FD028A

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 00FD00A3: __onexit.LIBCMT ref: 00FD00A9

__Init_thread_footer.LIBCMT ref: 01037BFB

Part of subcall function 00FD01F8: EnterCriticalSection.KERNEL32(0108070C,?,?,00FC8747,01082514), ref: 00FD0202
Part of subcall function 00FD01F8: LeaveCriticalSection.KERNEL32(0108070C,?,00FC8747,01082514), ref: 00FD0235

Strings

Variable must be of type 'Object'., xrefs: 01037C3A
G, xrefs: 01037C7F
5, xrefs: 01037C78

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 1307be04609c92bb12b9252ee4512abeb1c0a37f2c3aae1241a02cdf8853b938
Instruction ID: 3a37d04a0058e8654379e2a6c8133dd272efdd2757421b0a5ec0089a7569f5f5
Opcode Fuzzy Hash: 1307be04609c92bb12b9252ee4512abeb1c0a37f2c3aae1241a02cdf8853b938
Instruction Fuzzy Hash: 8B918FB1A00209EFCB05EF59D894DADB7B9FF89300F14809DF9865B252DB71AE41CB51

Function 01012716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010121D0,?,?,00000034,00000800,?,00000034), ref: 0101B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01012760

Part of subcall function 0101B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0101B3F8

Part of subcall function 0101B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0101B355
Part of subcall function 0101B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01012194,00000034,?,?,00001004,00000000,00000000), ref: 0101B365
Part of subcall function 0101B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01012194,00000034,?,?,00001004,00000000,00000000), ref: 0101B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0101281A

Strings

@, xrefs: 01012832

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5cde73fc3d4a3de9f1c99f97438ae22a11d4d8e49ad0fd1f6a6dcb88e4b97657
Instruction ID: f5648bea0781aeeed60c642b3a35b16865f0275fac73a8c3f7e0eb61bf008d6d
Opcode Fuzzy Hash: 5cde73fc3d4a3de9f1c99f97438ae22a11d4d8e49ad0fd1f6a6dcb88e4b97657
Instruction Fuzzy Hash: C3416D76901218BFDB10DFA4CD81AEEBBB8EF19300F108095FA95B7184DB746E45CBA0

Function 00FE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ungziped_file.exe,00000104), ref: 00FE1769
_free.LIBCMT ref: 00FE1834
_free.LIBCMT ref: 00FE183E

Strings

C:\Users\user\Desktop\ungziped_file.exe, xrefs: 00FE1760, 00FE1767, 00FE1796, 00FE17CE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ungziped_file.exe
API String ID: 2506810119-2806400892
Opcode ID: 8151b9ae01661c8fdf1b11ee61e0ebcc1dfb628abcd007fbf6a5c519a4671bc0
Instruction ID: 4acbcabbab70fbd1ffa08fe17ec52006fa3107d644b95c9b8de53c1d90ed9702
Opcode Fuzzy Hash: 8151b9ae01661c8fdf1b11ee61e0ebcc1dfb628abcd007fbf6a5c519a4671bc0
Instruction Fuzzy Hash: 01318F71E04298AFDB21DF9B9C81D9EBBBCFF85720B144166F84497201D6748E41EB90

Function 0101C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0101C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0101C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01081990,01625E98), ref: 0101C395

Strings

0, xrefs: 0101C2DF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a61c69256397a6119006a8c39c751b137182ee7544639a4cac86ade8ee5a6bfb
Instruction ID: 052782f96603d52affeb3d27c2bf2775e737b76a5cb952b904eb725e1441cf49
Opcode Fuzzy Hash: a61c69256397a6119006a8c39c751b137182ee7544639a4cac86ade8ee5a6bfb
Instruction Fuzzy Hash: F141E3712443029FE724DF29D984B5ABBE8AF85310F04865EF9E5972C5D738E604CB52

Function 01044416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104CC08,00000000,?,?,?,?), ref: 010444AA
GetWindowLongW.USER32 ref: 010444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010444D7

Strings

SysTreeView32, xrefs: 0104447C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5c34f54e81bfe6553d8fa222da00573a77f8d23fbae6a1f3f36145cb8d85b0b6
Instruction ID: 56cbe57524a927eadbe5668ee3af0e9efb6ac562c893c36c015e7aaac0e7624c
Opcode Fuzzy Hash: 5c34f54e81bfe6553d8fa222da00573a77f8d23fbae6a1f3f36145cb8d85b0b6
Instruction Fuzzy Hash: 3631C2B1210205AFEF618E38DC85BDA7BA9EB48334F208725F9B5D21D1DB74E8509B50

Function 0103304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01033077,?,?), ref: 01033378

inet_addr.WSOCK32(?), ref: 0103307A
_wcslen.LIBCMT ref: 0103309B
htons.WSOCK32(00000000), ref: 01033106

Strings

255.255.255.255, xrefs: 01033095, 0103309A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 051b0f2e343f47c66653f4f92fd7aaeaecff85380191772714189ea91d0bd695
Instruction ID: aa9b8729c29bf2652f247288ee4762b6a50ec7847b19a4799f8bca5e3ebaa419
Opcode Fuzzy Hash: 051b0f2e343f47c66653f4f92fd7aaeaecff85380191772714189ea91d0bd695
Instruction Fuzzy Hash: 9E31D2396042019FD720CF2DC5D5AAABBF8FF94318F148099E9968F392DB76E941C760

Function 01044653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01044705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01044713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0104471A

Strings

msctls_updown32, xrefs: 01044684

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 49575626c6157dbb88810cf23a6a5187d3864a07e3350d81750c86381f3b048f
Instruction ID: 102564006b4a2f49e6dff30bd519149455adabcaa6d26d98493783e48cb7a8f0
Opcode Fuzzy Hash: 49575626c6157dbb88810cf23a6a5187d3864a07e3350d81750c86381f3b048f
Instruction Fuzzy Hash: 44211BB5600209AFEB11DF68DCC1DAA37ADEF4A294B040499FA94DB251CA75EC12DB60

Function 010195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101961D

Strings

#OnAutoItStartRegister, xrefs: 010195F3
#requireadmin, xrefs: 010195D9
#notrayicon, xrefs: 010195B7

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c89b7df8e4a54abc9c830641957675268924a0c9c9da0cae9c7961a8dd4be371
Instruction ID: ebc85b98bbcd5a199ba6b4f68e74056dd24b19ac0dd925254f6e0ea7e610d594
Opcode Fuzzy Hash: c89b7df8e4a54abc9c830641957675268924a0c9c9da0cae9c7961a8dd4be371
Instruction Fuzzy Hash: A521A07210421167E331BB2D9C22FBB73DD9F95308F05442AFAC597146EB5CA941D3E1

Function 010437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01043840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01043850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01043876

Strings

Listbox, xrefs: 0104380F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fb20632f5fa42170b394d6b256abe9b351402b388d0121521d616e81067797fb
Instruction ID: ff2c0eabce95729e276bf5c331bce290e3cdc4caba16ce3dd6f3598801215d32
Opcode Fuzzy Hash: fb20632f5fa42170b394d6b256abe9b351402b388d0121521d616e81067797fb
Instruction Fuzzy Hash: F421B3B2610228BBEB22CE59CC85EAB37AEFF89750F109164F9849B190C675DC518790

Function 010249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01024A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01024A5C
SetErrorMode.KERNEL32(00000000,?,?,0104CC08), ref: 01024AD0

Strings

%lu, xrefs: 01024A6F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1e08a4aad0f8cf7a55de883127223af5551bafb5bb990614ac1aba84c1a63943
Instruction ID: 4df27189fd2411a8cd1c8dd4105e1188d988b3e4df022df275d6b1281e1a8c0d
Opcode Fuzzy Hash: 1e08a4aad0f8cf7a55de883127223af5551bafb5bb990614ac1aba84c1a63943
Instruction Fuzzy Hash: C2318F74A00109AFDB10DF54C9C5EAA7BF8EF08308F1480A9E949DB252D775ED45CB61

Function 010441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0104424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01044264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01044271

Strings

msctls_trackbar32, xrefs: 01044226

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e5627601f7bc306fba54d5efe0b4a5b86fc43d991a0e833aa702344abd3837f7
Instruction ID: 958bcaf217f4680347e7dd014e3fadae4a3257a17df02c00f5f60790e44d5fae
Opcode Fuzzy Hash: e5627601f7bc306fba54d5efe0b4a5b86fc43d991a0e833aa702344abd3837f7
Instruction Fuzzy Hash: 9311C6B1240248BFEF215E69CC46FAB3BACEF85B64F014525FA95E6090D671D8119B20

Function 01012F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB6B57: _wcslen.LIBCMT ref: 00FB6B6A

Part of subcall function 01012DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01012DC5
Part of subcall function 01012DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01012DD6
Part of subcall function 01012DA7: GetCurrentThreadId.KERNEL32 ref: 01012DDD
Part of subcall function 01012DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01012DE4

GetFocus.USER32 ref: 01012F78

Part of subcall function 01012DEE: GetParent.USER32(00000000), ref: 01012DF9

GetClassNameW.USER32(?,?,00000100), ref: 01012FC3
EnumChildWindows.USER32(?,0101303B), ref: 01012FEB

Strings

%s%d, xrefs: 01012FFF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d34b03f4ddd38ce0f2934c7a6b34c4cff5cbbd23e8ad8b7ab4711530908e29dd
Instruction ID: c09bf308316d8b5297480d0366c46a0ed10a8768a1400d9d3473b54b926863da
Opcode Fuzzy Hash: d34b03f4ddd38ce0f2934c7a6b34c4cff5cbbd23e8ad8b7ab4711530908e29dd
Instruction Fuzzy Hash: ED1102B1200206ABDF157F60CDD5EEE37AAAF94314F008079F9499B146DE3898498B30

Function 01045882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010458EE
DrawMenuBar.USER32(?), ref: 010458FD

Strings

0, xrefs: 0104588F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d394b287d301e769e34ce9c389d3c74a7efed77967a279874174a8704de7072c
Instruction ID: 5a6734fd2c850cd529b4be9f222ab3ad5e7d44e0371475032c14e4c6fb19c20f
Opcode Fuzzy Hash: d394b287d301e769e34ce9c389d3c74a7efed77967a279874174a8704de7072c
Instruction Fuzzy Hash: AC01C4B5500208AFDB219F11DC85FAFBBB5FF45760F0080A9E889D6151DB348A84DF20

Function 0101007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eac5262054d4140d629a114f2988ba1a1ee578ac0b12914bf1a71af4d136477
Instruction ID: a8e81caea487fb675cff4eb2d1bdcaf0a8b7b7521d4ea73b4633401e8e067d7a
Opcode Fuzzy Hash: 4eac5262054d4140d629a114f2988ba1a1ee578ac0b12914bf1a71af4d136477
Instruction Fuzzy Hash: 7BC16E75A0020AEFDB15CF98C884AAEBBB9FF48704F108598F585EB259D735DD81CB90

Function 00FE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FE3F0B
__alldvrm.LIBCMT ref: 00FE410C
__alldvrm.LIBCMT ref: 00FE412E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 4620457575876801546dae63dc0ce482d5d241cd2b6a8a349c126c7b26911693
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 2CA14872D003C69FDB16CF19CC917AEBBE5EF65360F1841ADE6859B281C238A941E750

Function 0103342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01033459
CoUninitialize.OLE32 ref: 01033463
VariantInit.OLEAUT32(?), ref: 0103346E
VariantClear.OLEAUT32(?), ref: 0103371B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b5f457ff6424c34d24eddfc5867d19795002f8741b7e9b26d83b7e7e2f587019
Instruction ID: b47de7f2640ecf556915c4286de35b4b32e01d8b074a56444c4a23162046184d
Opcode Fuzzy Hash: b5f457ff6424c34d24eddfc5867d19795002f8741b7e9b26d83b7e7e2f587019
Instruction Fuzzy Hash: 5BA158756043019FC710EF29C985A6ABBE9FF88314F088859F98A9B365DB34ED01DF91

Function 01010436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0104FC08,?), ref: 010105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0104FC08,?), ref: 01010608
CLSIDFromProgID.OLE32(?,?,00000000,0104CC40,000000FF,?,00000000,00000800,00000000,?,0104FC08,?), ref: 0101062D
_memcmp.LIBVCRUNTIME ref: 0101064E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 04e0211498a4b9544115de93e035dd10f1675a7e2ae2bd0b3137b75bec1a06ef
Instruction ID: 56a93c2dce3a0e14600b1b415ef2fdaf2ab70371bc0f78b73757f652c5732d46
Opcode Fuzzy Hash: 04e0211498a4b9544115de93e035dd10f1675a7e2ae2bd0b3137b75bec1a06ef
Instruction Fuzzy Hash: BA816B71A00109EFCB04CF98C984EEEB7B9FF89315F204598F546AB254DB75AE46CB60

Function 00FF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF14C0

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ae98dca3075db20f7c4b732631731ed6f27e71f82e66c1d63151498975e4c8f7
Instruction ID: 99ab527f01a214c5d07289e7ffff556c3aa8b94778f5ee37a2ebd17685d043f6
Opcode Fuzzy Hash: ae98dca3075db20f7c4b732631731ed6f27e71f82e66c1d63151498975e4c8f7
Instruction Fuzzy Hash: 55412E3190010CEBDB25EBBD9C45BBE3AA5FF82370F184226FA19D72B1E67848417671

Function 01046278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0162EB50,?), ref: 010462E2
ScreenToClient.USER32(?,?), ref: 01046315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01046382

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c20b94b6614d0da832ba0c83e8e90cbf9d66211990ffda35cf788354e1c388c7
Instruction ID: 79285265417ea4916b45cbdace78ed3153d592bce836a5c825349521d59118b4
Opcode Fuzzy Hash: c20b94b6614d0da832ba0c83e8e90cbf9d66211990ffda35cf788354e1c388c7
Instruction Fuzzy Hash: C3516CB4A00249AFDF21CF58D9C09AE7BF5FF46321F1081A9F8A497291E732E941CB50

Function 01031AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01031AFD
WSAGetLastError.WSOCK32 ref: 01031B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01031B8A
WSAGetLastError.WSOCK32 ref: 01031B94

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3057b747991c559f7e92ef982296823cd0dad03e82254b7de8495265eca71bbc
Instruction ID: 150e860d5e72b01577d05994718fd33d395a1b71a1b93c2a08d58427169ce829
Opcode Fuzzy Hash: 3057b747991c559f7e92ef982296823cd0dad03e82254b7de8495265eca71bbc
Instruction Fuzzy Hash: B141B574600200AFE724EF24C986F6A77E5AB88718F54848CF6569F3C2D776DD428B90

Function 00FEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93ad44a00cf5539fd30b2c3f9cfd030b211995acee0815873480672aa63fb45
Instruction ID: 7364e56d005ffaf384055906ff64f347bdaeb8e2101a459b7825833e21f6520e
Opcode Fuzzy Hash: d93ad44a00cf5539fd30b2c3f9cfd030b211995acee0815873480672aa63fb45
Instruction Fuzzy Hash: 80410872A00344AFD724DF79CC41B6BBBA9EF84720F10466EF541DB2D1D775A9019790

Function 010256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01025783
GetLastError.KERNEL32(?,00000000), ref: 010257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010257FA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b2c2fe7d306032fbbacdbe490bcf3fcd43035e25270ebb8f84b8e529418cd1ec
Instruction ID: 9388bbfd40493786cf662a955bffa6ce2745bf589e8e4cc557b9087d86a1b93b
Opcode Fuzzy Hash: b2c2fe7d306032fbbacdbe490bcf3fcd43035e25270ebb8f84b8e529418cd1ec
Instruction Fuzzy Hash: 8A412E39600610DFCB21EF15C945A9EBBE1AF89310B18C488E84A6B366CB79FD01DF91

Function 00FED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FD6D71,00000000,00000000,00FD82D9,?,00FD82D9,?,00000001,00FD6D71,8BE85006,00000001,00FD82D9,00FD82D9), ref: 00FED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FED9AB
__freea.LIBCMT ref: 00FED9B4

Part of subcall function 00FE3820: RtlAllocateHeap.NTDLL(00000000,?,01081444,?,00FCFDF5,?,?,00FBA976,00000010,01081440,00FB13FC,?,00FB13C6,?,00FB1129), ref: 00FE3852

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 94a991a642e6b2a7ec06daf26045c92a129bdf94cddb13c5340356f2284f0cec
Instruction ID: 5a49a558e5e386194533a3d4bee53ca792c7ae9909a4cd243a28b9fbb5aa74e6
Opcode Fuzzy Hash: 94a991a642e6b2a7ec06daf26045c92a129bdf94cddb13c5340356f2284f0cec
Instruction Fuzzy Hash: 8631E172A0124AABDF24DF66DC85EAE7BA5EF41320F050169FC04D7251EB39DD50EBA0

Function 0101AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0101AAAC
SetKeyboardState.USER32(00000080), ref: 0101AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0101AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0101AB88

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a8f4b4976fe5ca8ede02cf6095f2f095b7cd8c89de47958ad8f4e176aa0a642
Instruction ID: 82438d705b732f435273dc3054cb474003931344b6ca6c1555761d189d8c25cc
Opcode Fuzzy Hash: 9a8f4b4976fe5ca8ede02cf6095f2f095b7cd8c89de47958ad8f4e176aa0a642
Instruction Fuzzy Hash: 2E310470B422C8EEFF318A688884BFA7BE6BB44310F04465AE1C1531DAD37D85818761

Function 010452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01045352
GetWindowLongW.USER32(?,000000F0), ref: 01045375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01045382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010453A8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b62bbd4c9339bcee74e31be0631084274277284ad173aa5ac2b4492d56eec3e6
Instruction ID: eb94f9d90c45010c303c50ba52f27824ef2cc4015f6907e0ef1d25c05e9278b1
Opcode Fuzzy Hash: b62bbd4c9339bcee74e31be0631084274277284ad173aa5ac2b4492d56eec3e6
Instruction Fuzzy Hash: FA31C2B4A55208FFFB749E18CCC5BE83BE5AB05352F48C1A1FAD0961D1C7B5A980DB42

Function 01047674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0104769A
GetWindowRect.USER32(?,?), ref: 01047710
PtInRect.USER32(?,?,01048B89), ref: 01047720
MessageBeep.USER32(00000000), ref: 0104778C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7cb9f41c74c48703214f24d77f69ddef017c759e480b77b2aa8737a93e4ad935
Instruction ID: fcb2ec6af474d8d1b0997b629d7b686f83147506a2630ba21a1bacf3804dc641
Opcode Fuzzy Hash: 7cb9f41c74c48703214f24d77f69ddef017c759e480b77b2aa8737a93e4ad935
Instruction Fuzzy Hash: 3041BCB8601215EFDB22CF58C5C4EAC7BF5BF48310F4540B8E9D49B255C336A942CB90

Function 010416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010416EB

Part of subcall function 01013A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013A57
Part of subcall function 01013A3D: GetCurrentThreadId.KERNEL32 ref: 01013A5E
Part of subcall function 01013A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010125B3), ref: 01013A65

GetCaretPos.USER32(?), ref: 010416FF
ClientToScreen.USER32(00000000,?), ref: 0104174C
GetForegroundWindow.USER32 ref: 01041752

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2037f74f3ad0f27b10ad1be95344ceb2ec61ed357ec6709c98d60c0a70662d5f
Instruction ID: 5606cfb086b00b146c7f6ed94655590b738e139d319286c86506e7e9c0568937
Opcode Fuzzy Hash: 2037f74f3ad0f27b10ad1be95344ceb2ec61ed357ec6709c98d60c0a70662d5f
Instruction Fuzzy Hash: CD313EB5D00249AFD700EFAAC9C18EEBBF9FF48204B5480AAE455E7201D7359E45CFA0

Function 0101DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

_wcslen.LIBCMT ref: 0101DFCB
_wcslen.LIBCMT ref: 0101DFE2
_wcslen.LIBCMT ref: 0101E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0101E018

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: ea880fc347daff0035df8c18d183c21c7be1fa4e36aeb48f35e5422ae48c4783
Instruction ID: ef2189e71364b919d3f8aa5cbd5b7277b2e09bd8aa5425f7179392e54f6a4728
Opcode Fuzzy Hash: ea880fc347daff0035df8c18d183c21c7be1fa4e36aeb48f35e5422ae48c4783
Instruction Fuzzy Hash: CF21D371900214AFCB21AFA8CD81BAEB7F9EF45750F1440A9F944BB346D6789E408BA1

Function 0101D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0101D501
Process32FirstW.KERNEL32(00000000,?), ref: 0101D50F
Process32NextW.KERNEL32(00000000,?), ref: 0101D52F
CloseHandle.KERNEL32(00000000), ref: 0101D5DC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ea992ce21eca4c20d5e94a489401da1e2b05f074959e49a502b3534d06c72cff
Instruction ID: 89fecb4b90579034d8db62ae748eb383cd3a83790058b4d3d1ea56d69c560e90
Opcode Fuzzy Hash: ea992ce21eca4c20d5e94a489401da1e2b05f074959e49a502b3534d06c72cff
Instruction Fuzzy Hash: 8B31BF711083009FD311EF94CC85AAFBBF8EF99354F14092DF6C1821A1EB799A48DB92

Function 01048FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

GetCursorPos.USER32(?), ref: 01049001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01007711,?,?,?,?,?), ref: 01049016
GetCursorPos.USER32(?), ref: 0104905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01007711,?,?,?), ref: 01049094

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c0f1b46333ed426166830e1ca267e56dead5539b695b8f7461735db36284f235
Instruction ID: adaf7265b764cb6a8008fd9fddd03fb1add30408b0d6ec8a3ed4912f96f0528c
Opcode Fuzzy Hash: c0f1b46333ed426166830e1ca267e56dead5539b695b8f7461735db36284f235
Instruction Fuzzy Hash: 04219C75601018AFEB25DF98C889EEF3BB9EF89350F0040B9FA8547251C7369990DB60

Function 0101D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0104CB68), ref: 0101D2FB
GetLastError.KERNEL32 ref: 0101D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0101D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0104CB68), ref: 0101D376

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 957467fca28ded74a9180eee71b82353d7e2ffb8fb0c29123e37560ce07ec9fa
Instruction ID: b93667d6e3b2e1bd46ebc088e74a48e2f9ed4c8bafa1f0fc8c31d34f093bbfbb
Opcode Fuzzy Hash: 957467fca28ded74a9180eee71b82353d7e2ffb8fb0c29123e37560ce07ec9fa
Instruction Fuzzy Hash: 5321E2745093019F9310DF69CA848AE7BE8EF46328F108A5DF4D9C72A5DB39D906CF92

Function 01011571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01011014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0101102A
Part of subcall function 01011014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01011036
Part of subcall function 01011014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011045
Part of subcall function 01011014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0101104C
Part of subcall function 01011014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01011062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010115BE
_memcmp.LIBVCRUNTIME ref: 010115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01011617
HeapFree.KERNEL32(00000000), ref: 0101161E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a212f10f25efe7f12defa05f8b3d16c20959f739b69047da569d19af422ade64
Instruction ID: 5cb2f9a44c707dfe54f58c2efb17cf9c7e063f85f212fa5e39b0436ed092f43a
Opcode Fuzzy Hash: a212f10f25efe7f12defa05f8b3d16c20959f739b69047da569d19af422ade64
Instruction Fuzzy Hash: 46218E71E01109EFDB14CFA8CA44BEEBBF8EF44354F084899E681A7244D739AA05CB50

Function 01042782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0104280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01042824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01042832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01042840

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 245ecbde02268879735c5506111a3e8190b54be2158dd5c629d6fe4259fdad63
Instruction ID: 58e8991702c93cec98a820a96cde8684f3b993a2571a995deb592f9085b75e9d
Opcode Fuzzy Hash: 245ecbde02268879735c5506111a3e8190b54be2158dd5c629d6fe4259fdad63
Instruction Fuzzy Hash: A321F475305111AFE714DB24D884FAA7B95AF45324F1481A8F4568B6D2C775EC82CBD0

Function 0102CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0102CE89
GetLastError.KERNEL32(?,00000000), ref: 0102CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0102CEFE

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 79a352e2c134d5483603dff63958b8d209855d3a566b0b8c0e5994b8183d4f70
Instruction ID: cc9414fad9814a1771411ae931ea3d106ddf88c4f405c1849994d0ffa752215a
Opcode Fuzzy Hash: 79a352e2c134d5483603dff63958b8d209855d3a566b0b8c0e5994b8183d4f70
Instruction Fuzzy Hash: C421C1B15007159BFB70DF69CB84BABBBFCEB40358F10445EE686D2141E775EA048B50

Function 010178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01018D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0101790A,?,000000FF,?,01018754,00000000,?,0000001C,?,?), ref: 01018D8C
Part of subcall function 01018D7D: lstrcpyW.KERNEL32(00000000,?,?,0101790A,?,000000FF,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01018DB2
Part of subcall function 01018D7D: lstrcmpiW.KERNEL32(00000000,?,0101790A,?,000000FF,?,01018754,00000000,?,0000001C,?,?), ref: 01018DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01017923
lstrcpyW.KERNEL32(00000000,?,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01017949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01018754,00000000,?,0000001C,?,?,00000000), ref: 01017984

Strings

cdecl, xrefs: 0101797B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d81bd9019532fb81ca3410012508b8e0c531cc761ff83eca1844fd6f798302eb
Instruction ID: 9a839eb442920e9571a91052508ef650111ceacbdd63bcbd0a5d75d7e81b7271
Opcode Fuzzy Hash: d81bd9019532fb81ca3410012508b8e0c531cc761ff83eca1844fd6f798302eb
Instruction Fuzzy Hash: 7C112C3A200302ABDB155F38C844D7B77E6FF85350B40402EF982C7268EB359905C791

Function 01047CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01047D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01047D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01047D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0102B7AD,00000000), ref: 01047D6B

Part of subcall function 00FC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC9BB2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4c76dcb85b4b6174bf561ba82a47f172c0658467204cdb7c20839ea58713721d
Instruction ID: af3a6a7a87c682408de106786b74608be5ca684958129637e1f4bd4cc2aaf80d
Opcode Fuzzy Hash: 4c76dcb85b4b6174bf561ba82a47f172c0658467204cdb7c20839ea58713721d
Instruction Fuzzy Hash: D011D2B2215615AFDB20AF2CCC84A6A3BA5BF45360B118378F9F9C72E0D7359951CB80

Function 01045660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010456BB
_wcslen.LIBCMT ref: 010456CD
_wcslen.LIBCMT ref: 010456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01045816

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8447211197d05930f6343d3a7e19f4261ef3e06daadd59ee97ddabf58aa7b675
Instruction ID: 3d93d3c10a826dc1f7eab27f604f2842976d09a44b879efd3d851b271cbdbf66
Opcode Fuzzy Hash: 8447211197d05930f6343d3a7e19f4261ef3e06daadd59ee97ddabf58aa7b675
Instruction Fuzzy Hash: 991103F5600208A7EB20DF65DCC1AEE3BACEF05364B00407AFA85DA081EB74D640CB60

Function 00FE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0d392158d77651cf1b205dca71212903d88269a790de22cc535a8435df1eac
Instruction ID: 17f00632a999bc74f516eff29feabdc87afc1d49eb753d924f7410cf98f10681
Opcode Fuzzy Hash: 0a0d392158d77651cf1b205dca71212903d88269a790de22cc535a8435df1eac
Instruction Fuzzy Hash: 0E01A2B260A69A3EF731257B6CC1F2B761CEF813B8B310329F521511D6DB798C047160

Function 01011A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01011A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01011A8A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1b84d2acb9ff0eab1b70a3c6dbf53dbaba303f399193ccae443ac119eb4dd144
Instruction ID: 95a2f854a42774ff36aaf73af5f147cb1b2ba800843af3e84a3f9763a182d845
Opcode Fuzzy Hash: 1b84d2acb9ff0eab1b70a3c6dbf53dbaba303f399193ccae443ac119eb4dd144
Instruction Fuzzy Hash: 0211397AD00219FFEB11DBA8C985FADBBB8EB08754F200091EA00B7294D6716E50DB94

Function 0101E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0101E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0101E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0101E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0101E24D

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 23e73bea376fcfacf3e4500a3d84c441559e6555f49d6e3ef0150299fdf0a41c
Instruction ID: 89eb12cb8b11317a76563c4d8bd96fded07c78d1ff5e1df41905b60ad14040e2
Opcode Fuzzy Hash: 23e73bea376fcfacf3e4500a3d84c441559e6555f49d6e3ef0150299fdf0a41c
Instruction Fuzzy Hash: 05112BB6A04254BFD7229FACDD45ADE7FACAF46310F048255FD94D3285D2B9C90087A0

Function 00FDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FDCFF9,00000000,00000004,00000000), ref: 00FDD218
GetLastError.KERNEL32 ref: 00FDD224
__dosmaperr.LIBCMT ref: 00FDD22B
ResumeThread.KERNEL32(00000000), ref: 00FDD249

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0a8b53a89214ba34563f83cb974e2d6def4b953a01c376d0b01a32b994c97749
Instruction ID: 224035662d669e266da431c094b1481719d8a2d8e96cb0741bbd95ceedb361a1
Opcode Fuzzy Hash: 0a8b53a89214ba34563f83cb974e2d6def4b953a01c376d0b01a32b994c97749
Instruction Fuzzy Hash: 9801F9768051047BD7216BA5DC09BAE7B6EDF82332F18031AF925923D0DB75C905E7A0

Function 00FB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
GetStockObject.GDI32(00000011), ref: 00FB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0e7ce88681db281fd9832318248699f7c09521648574f548000558d0a9d94f3d
Instruction ID: 7ee76662f6cbfd8d993508317fdef340f57d3a34c964abbbaa879b2c549e282d
Opcode Fuzzy Hash: 0e7ce88681db281fd9832318248699f7c09521648574f548000558d0a9d94f3d
Instruction Fuzzy Hash: 771161B3502548BFEF229F969D44EFA7B69FF093A4F040115FA5492110D73A9C60EF90

Function 00FD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FD3B56

Part of subcall function 00FD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FD3AD2
Part of subcall function 00FD3AA3: ___AdjustPointer.LIBCMT ref: 00FD3AED

_UnwindNestedFrames.LIBCMT ref: 00FD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FD3BA4

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f0edf08cb407e4859df5f797cf20c300daa63f414c5de571fc7dfd6a7705e908
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 52012D32500148BBDF126F95CC46DEB3B6AEF88754F08401AFE4856221C736E961EBA1

Function 00FE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FB13C6,00000000,00000000,?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue), ref: 00FE30A5
GetLastError.KERNEL32(?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue,01052290,FlsSetValue,00000000,00000364,?,00FE2E46), ref: 00FE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FE301A,00FB13C6,00000000,00000000,00000000,?,00FE328B,00000006,FlsSetValue,01052290,FlsSetValue,00000000), ref: 00FE30BF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bfe36360524650c3076d9d44eb17f50a828a72c02d85b081afce90e426ef3144
Instruction ID: 3011afab7b876b71ba6e7145b7771c9c957536b63e678d0e224712eeb2c59fc4
Opcode Fuzzy Hash: bfe36360524650c3076d9d44eb17f50a828a72c02d85b081afce90e426ef3144
Instruction Fuzzy Hash: 44012B76702262ABDB318A7B9D8CA677B98AF45B75B200620FB45E3144C736D901D7E0

Function 01017464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0101747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01017497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010174CA

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6722914d0fdf05ae64a152903ffaa93683ce6378fa169d1b74fc13dbc92f3ce1
Instruction ID: 712a0ae8211ceec448b087787fa7486ad2332877b96042009056c62e4e498951
Opcode Fuzzy Hash: 6722914d0fdf05ae64a152903ffaa93683ce6378fa169d1b74fc13dbc92f3ce1
Instruction Fuzzy Hash: 1311A1B52423009BF7308F58DE48B967FFCEB40B00F008569EA96D6155DF79E904CB50

Function 0101B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0101ACD3,?,00008000), ref: 0101B126

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 34f0325f155ecdd9f714a18a0dd03134aea41f1f0ff92f55abd6cd33e2b06163
Instruction ID: 4743d5be49f21fe29f69951b33827881667e1a1ca3d16e45835f577dcc05f0cf
Opcode Fuzzy Hash: 34f0325f155ecdd9f714a18a0dd03134aea41f1f0ff92f55abd6cd33e2b06163
Instruction Fuzzy Hash: E611AD70C0251CE7DF10AFE4EA88AEEBF78FF0A310F114086E9C1B2189CB3996508B51

Function 01012DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01012DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01012DD6
GetCurrentThreadId.KERNEL32 ref: 01012DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01012DE4

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 784a6bc2d38f3e505bfcbcbfa28627b810f0e1ce171b2490000b996d1d2d7fd2
Instruction ID: 7fb38b95315b62ce6a25278acd260c9f15f0784aa1f0863e9d20391e360a60dd
Opcode Fuzzy Hash: 784a6bc2d38f3e505bfcbcbfa28627b810f0e1ce171b2490000b996d1d2d7fd2
Instruction Fuzzy Hash: EDE092B52022287BE7302BB6DE4DFEB3E6CEF47BA1F504015F245D10849AAAD440C7B0

Function 01048863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC9693
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96A2
Part of subcall function 00FC9639: BeginPath.GDI32(?), ref: 00FC96B9
Part of subcall function 00FC9639: SelectObject.GDI32(?,00000000), ref: 00FC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01048887
LineTo.GDI32(?,?,?), ref: 01048894
EndPath.GDI32(?), ref: 010488A4
StrokePath.GDI32(?), ref: 010488B2

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c1e001fb0c2e9ff399bfba9f80a5d87d0a4b60113d5ca1e8fb4cf920377de1f5
Instruction ID: 9b220b6bcb86f9099422d7b023e196a032713acefdf5aabc2e42c49ed7f7ca50
Opcode Fuzzy Hash: c1e001fb0c2e9ff399bfba9f80a5d87d0a4b60113d5ca1e8fb4cf920377de1f5
Instruction Fuzzy Hash: E3F09A3A006258BBFB221E94AE4AFCE3E59AF06310F008104FA81610D5C3BA1111DBA9

Function 00FC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FC98CC
SetTextColor.GDI32(?,?), ref: 00FC98D6
SetBkMode.GDI32(?,00000001), ref: 00FC98E9
GetStockObject.GDI32(00000005), ref: 00FC98F1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: cb9fa8452e26f173f1c2c939a5a900700d37a57ee5d4203fdd2f7247f8ac7f1a
Instruction ID: c2fc687cc1839e08fe3ed32557d9478eebb87903e06d3ceac991a4600208973c
Opcode Fuzzy Hash: cb9fa8452e26f173f1c2c939a5a900700d37a57ee5d4203fdd2f7247f8ac7f1a
Instruction Fuzzy Hash: 5DE06575641280ABFB315B78AA49BD83F60AB06336F048259F7F5540E4C7B642409B10

Function 0101162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01011634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010111D9), ref: 0101163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010111D9), ref: 01011648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010111D9), ref: 0101164F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bf55e993bb49c27173cda6243d5fc7e87d8f73b2dd94bd734240346322a278c7
Instruction ID: 9c521d2cded0ec42934e5f3b918ac1c44d1bf6096d42b0f8732f9de3863406fd
Opcode Fuzzy Hash: bf55e993bb49c27173cda6243d5fc7e87d8f73b2dd94bd734240346322a278c7
Instruction Fuzzy Hash: 0EE04FB5602211ABE7701BB49F4DB463BA9AF45792F144848F6C5C9088D67E40408B50

Function 0100D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0100D858
GetDC.USER32(00000000), ref: 0100D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0100D882
ReleaseDC.USER32(?), ref: 0100D8A3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 997f7d28c0dc56e3be2b7b4d296249d5349494549b9e2f3677804c1eeda72456
Instruction ID: 7dfe05cf41499458f910e43eb90b1027f938273680acac27d93ee9a698fef8ec
Opcode Fuzzy Hash: 997f7d28c0dc56e3be2b7b4d296249d5349494549b9e2f3677804c1eeda72456
Instruction Fuzzy Hash: 28E01AB9801205EFEB619FE0D748A6DBBB5FB08310F108059F886E7244C73D9901AF50

Function 0100D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0100D86C
GetDC.USER32(00000000), ref: 0100D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0100D882
ReleaseDC.USER32(?), ref: 0100D8A3

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2ea62e0a516a67e57bc340ace9ee01c0de0d3ca8033557ff59e07c581227fc5f
Instruction ID: 1e5bae6236f86ffd2f36232a835b105f6f7d93434fe2f09f3c768157cb1faa1d
Opcode Fuzzy Hash: 2ea62e0a516a67e57bc340ace9ee01c0de0d3ca8033557ff59e07c581227fc5f
Instruction Fuzzy Hash: D7E01AB9801200EFDB609FA0D64866DBBB5BB08310B108048F886E7244C73D6901AF50

Function 01024D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7620: _wcslen.LIBCMT ref: 00FB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01024ED4

Strings

LPT, xrefs: 01024DFB
*, xrefs: 01024E10

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 10284ecf1fca7d1b35a619823ce5bbd1aa1cd107a991654a4742ff013db47980
Instruction ID: 7cdf273daea9bcae447d19b69b19399fbb198939ad3bf8dd84f63fcd0faa149c
Opcode Fuzzy Hash: 10284ecf1fca7d1b35a619823ce5bbd1aa1cd107a991654a4742ff013db47980
Instruction Fuzzy Hash: 25918F75A00214DFDB54DF58C884EAABBF1AF84304F1980D9E84A9F7A2C735ED85CB90

Function 00FDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FDE30D

Strings

pow, xrefs: 00FDE2E5, 00FDE302

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f134f98ed10e371fd9fc16c70389214544497a6201d4b547d27bc357ed6c68ed
Instruction ID: cafb5e04ff3270b391f75c1728e7a02bced3ec772ca8f66805223828c61c0b49
Opcode Fuzzy Hash: f134f98ed10e371fd9fc16c70389214544497a6201d4b547d27bc357ed6c68ed
Instruction Fuzzy Hash: 25518E72E0C34296CB257615CD0137A3F99EF40761F3849AAE0D54A3DCEB398C85BB86

Function 00FCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FCE1B1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dcf6f54525e3142539cbe5a69f86cac69102e0d4a10b0bd73fe96b6ffcb71075
Instruction ID: 3edd4ee39237810f05895337463b6c5679352c9ce5e6c0ac2968024e1ab5f9e0
Opcode Fuzzy Hash: dcf6f54525e3142539cbe5a69f86cac69102e0d4a10b0bd73fe96b6ffcb71075
Instruction Fuzzy Hash: 96515575904206DFEB26DF28C482BFA7BE8FF55310F244499E8D5AB2C1D6389D42DB90

Function 00FCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FCF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FCF2BB

Strings

@, xrefs: 00FCF2AF

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0372b86c89331aaabf5276ff6c28a27151a4127d0eb076354c8af833471d6474
Instruction ID: 7fd7e6c8f42972ba3d3ce65beed095ed43f6a675697c8cc5e9b24282fa0d1e28
Opcode Fuzzy Hash: 0372b86c89331aaabf5276ff6c28a27151a4127d0eb076354c8af833471d6474
Instruction Fuzzy Hash: 865135715087449BE320AF11DC86BABBBF8FBC4340F81885DF1D982195EB758529CB66

Function 01035745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010357E0
_wcslen.LIBCMT ref: 010357EC

Strings

CALLARGARRAY, xrefs: 010357E6, 010357EB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8677861071ee3d537ef23fa196b591e386a5d26b5d8ff5fba67272cb2b05d631
Instruction ID: b098f5e39e94e942aa95494edb138d6ab7ea39e8eb7e00ca791adb89b0204792
Opcode Fuzzy Hash: 8677861071ee3d537ef23fa196b591e386a5d26b5d8ff5fba67272cb2b05d631
Instruction Fuzzy Hash: E9419171E002099FCB14DFA9CD819FEBBF9FF89314F244069E545A7262E7749981CB90

Function 0102D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0102D13A

Strings

|, xrefs: 0102D10B

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6ca9991b379de53b0e4eb36074bb446f9d4fe45891d207b55ec7935da8b87b5e
Instruction ID: e0019c57699598a293638c6328acad2b0947c171819f21f09deff9b517ad30a3
Opcode Fuzzy Hash: 6ca9991b379de53b0e4eb36074bb446f9d4fe45891d207b55ec7935da8b87b5e
Instruction Fuzzy Hash: 66313D71D00219ABDF15EFA5CC85AEEBFB9FF04300F100059F915A61A6E739AA06DF54

Function 0104356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01043621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0104365C

Strings

static, xrefs: 010435BC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2d4d3fff05d2e78f8bc7c1014c67e9a6a3da0356cdc766408bec8c068653b9b0
Instruction ID: 6d475a59f8982aeb69edf6de220c8377928f181a23b73858de626a24d30437d9
Opcode Fuzzy Hash: 2d4d3fff05d2e78f8bc7c1014c67e9a6a3da0356cdc766408bec8c068653b9b0
Instruction Fuzzy Hash: F3318FB1110205AFEB209F68DC80EFB73A9FF48720F009629F9A597280DA35A891D760

Function 01044537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0104461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01044634

Strings

', xrefs: 0104458E

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: aa00198675b307d6607b5b58c8b7e127cfea58215a2ace199a0083b30b5425f4
Instruction ID: ea18768fcd512b161ed392ba341ccdfab5b7a5356655e2ad9be889fffbf42fe7
Opcode Fuzzy Hash: aa00198675b307d6607b5b58c8b7e127cfea58215a2ace199a0083b30b5425f4
Instruction Fuzzy Hash: 5631E7B4A012099FDF14CFA9C981BDA7BB5FF49300F144169EA45EB342D771A945CF90

Function 010431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0104327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01043287

Strings

Combobox, xrefs: 01043249

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 200c155b4bc206c8d38844ec479a6be0a11d5026ba0e1ea332e469b72939ee31
Instruction ID: ad0b7931393ce360d692ba87ac5c5fa3b319c636ac1561cc2c1096f7d88a5b41
Opcode Fuzzy Hash: 200c155b4bc206c8d38844ec479a6be0a11d5026ba0e1ea332e469b72939ee31
Instruction Fuzzy Hash: D911D3B13002186FFF669E58DDC0EAB37AAFB483A4F105125F9949B291D6359C51C760

Function 01043710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB604C
Part of subcall function 00FB600E: GetStockObject.GDI32(00000011), ref: 00FB6060
Part of subcall function 00FB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB606A

GetWindowRect.USER32(00000000,?), ref: 0104377A
GetSysColor.USER32(00000012), ref: 01043794

Strings

static, xrefs: 01043757

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0f35c9e166a2fd3b898c64d08fef5ca6c910e4cf47d07af324689812f09a83ca
Instruction ID: 2925a9bbf282b9d938d0c4323a2529a4843772315d7e915a58d283bcc597f745
Opcode Fuzzy Hash: 0f35c9e166a2fd3b898c64d08fef5ca6c910e4cf47d07af324689812f09a83ca
Instruction Fuzzy Hash: 961129B2610209AFEB11DFA8CD85AEE7BF8FF08354F005925F995E6240D735E8519B50

Function 0102CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0102CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0102CDA6

Strings

<local>, xrefs: 0102CD66

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7ee318c9f011224a462de4186f81abbbdf056beb31e95336aaf7025794bcaf80
Instruction ID: ae9ddfe172740d6609660b3a3d91d62fac803114ff32405fe47b1ea2cf7d0f66
Opcode Fuzzy Hash: 7ee318c9f011224a462de4186f81abbbdf056beb31e95336aaf7025794bcaf80
Instruction Fuzzy Hash: A71129B12016317AF7746A668D84FFBBEACEF026A4F00425AF18983080D3759444C6F0

Function 01043429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010434BA

Strings

edit, xrefs: 0104348F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d64d1d6a7497d942d27a4fb730a824af6a50085e3db602d54615b2814f4892bf
Instruction ID: bfca55e158604147f04a1fc4312ef4a5eaa97aec9262e7aad242f36c8fd2c919
Opcode Fuzzy Hash: d64d1d6a7497d942d27a4fb730a824af6a50085e3db602d54615b2814f4892bf
Instruction Fuzzy Hash: 33119DB5100118ABEB624E68DC84AEA37AAFB85374F505324F9A09B1D4CB36EC519B50

Function 01016C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01016CB6
_wcslen.LIBCMT ref: 01016CC2

Strings

STOP, xrefs: 01016CBC, 01016CC1

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a4fe00bbd13b2ab198b28aecdffc7d4605a521aef29b68b7f936df5c72e54be7
Instruction ID: 917215f809e8ee2e6122c0c8e6f0c747a623a5d9fa68a10e3f45da01c26873c2
Opcode Fuzzy Hash: a4fe00bbd13b2ab198b28aecdffc7d4605a521aef29b68b7f936df5c72e54be7
Instruction Fuzzy Hash: 95010432E0052A8BDB21AFBECC808BF3BE5EB61610B400564E99292189EBBBD440C750

Function 01011CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01011D4C

Strings

ListBox, xrefs: 01011D16
ComboBox, xrefs: 01011CEB

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1c7af217eac0e73027b912abfd712ed9ae3fa38b9602c0b87792ff2fcbe6b164
Instruction ID: 32e435c1f07aa18dc5fe9eb55b9d9eeaf3595c0cc6c2738553610f1ac90e6511
Opcode Fuzzy Hash: 1c7af217eac0e73027b912abfd712ed9ae3fa38b9602c0b87792ff2fcbe6b164
Instruction Fuzzy Hash: 72014C7560121DABDB08FBB5CD50CFE77A8FF16350B400509EAB25B3C4EA785408CB60

Function 01011BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01011C46

Strings

ListBox, xrefs: 01011C10
ComboBox, xrefs: 01011BE5

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7afec659a5cd123cc290d2293d930be074ba6298049439a72f0eddf89e890b8f
Instruction ID: 6165efef5180b51dbd4ac0fea15836bdf3945aaf224c26f7b8909480df1d4195
Opcode Fuzzy Hash: 7afec659a5cd123cc290d2293d930be074ba6298049439a72f0eddf89e890b8f
Instruction Fuzzy Hash: 04012BB5B4110D67DB08EBA1CE51DFF77E8AF11340F100019AA8667285EA78AA08CBB1

Function 01011C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01011CC8

Strings

ListBox, xrefs: 01011C94
ComboBox, xrefs: 01011C69

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 975a62dac21556eec96e9288fa94d8bdaf58b4b2ce9b7d373545023e9d515536
Instruction ID: c1ad5b0d4f0e6b1f44263db6f2c237cc70d356874218d33019c6a4938ebfcef8
Opcode Fuzzy Hash: 975a62dac21556eec96e9288fa94d8bdaf58b4b2ce9b7d373545023e9d515536
Instruction Fuzzy Hash: 88012BB5A0011D67DF08E7A5CF41AFF77E8AB11340F100015AA8667285EA789A08CBB1

Function 01011D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9CB3: _wcslen.LIBCMT ref: 00FB9CBD

Part of subcall function 01013CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01013CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01011DD3

Strings

ListBox, xrefs: 01011DA0
ComboBox, xrefs: 01011D75

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cba937351d09c2026dc883df615f0a1f348062c228fddf87862e378388e86939
Instruction ID: dcbd0c7786c1755d43aec5a34d1b810eab704d969edbfa5b882e09ff6163b868
Opcode Fuzzy Hash: cba937351d09c2026dc883df615f0a1f348062c228fddf87862e378388e86939
Instruction Fuzzy Hash: 15F04970A0021967DB08F7A5CC81BFF77A8AB01350F400808BAA2672C4EA7855088760

Function 0103747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01037493
_wcslen.LIBCMT ref: 010374B9

Strings

3, 3, 16, 1, xrefs: 01037483

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9c3284a6ef4b2411c3b8476176b6d521bd165db01887e4f0255910b282d27005
Instruction ID: 8297262f460bb87fdb590bed396ba0e8a1f60b7a3bb2cdf9f320a1c3791ef4e5
Opcode Fuzzy Hash: 9c3284a6ef4b2411c3b8476176b6d521bd165db01887e4f0255910b282d27005
Instruction Fuzzy Hash: 67E02B42601320219271137F9CC197F7ACECFC9690714182BFAC5C2366EFA8ED9193A1

Function 01010B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01010B23

Strings

AutoIt, xrefs: 01010B17
Error allocating memory., xrefs: 01010B1C

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b3ba5c81db7be2605651caffa15460f1aa8f6a7488838ba112487f719a6ade52
Instruction ID: 9b1cb56fa469f093ec00c027b9238394a49b2bc485c47771c034107bc35486ce
Opcode Fuzzy Hash: b3ba5c81db7be2605651caffa15460f1aa8f6a7488838ba112487f719a6ade52
Instruction Fuzzy Hash: 9CE0D83128531837E2143795BE43FC97B859F05B10F10446EFBD4995C38EDA249016ED

Function 00FD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FD0D71,?,?,?,00FB100A), ref: 00FCF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FB100A), ref: 00FD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FB100A), ref: 00FD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FD0D7F

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ffcd99318178deb79fa3f10f979363158bd7d8e1e8ac14d5402cf9f866113f29
Instruction ID: 287e5590bd4cd92a42f350f103faff0adc85ea85f5e68f0d9b88eb94430db404
Opcode Fuzzy Hash: ffcd99318178deb79fa3f10f979363158bd7d8e1e8ac14d5402cf9f866113f29
Instruction Fuzzy Hash: F7E06DB42003028BE3309FBEE6447467BE2AF04B45F04892EE4C6C7746DFB9E4449BA1

Function 01023017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0102302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01023044

Strings

aut, xrefs: 01023038

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a58688428f20d6645818598147587777666f0d2b4a206942fd71469bffc7d844
Instruction ID: b2d4cd4b920d02d070e715df4994f445699993e8575fc3e2cad99d9419c6e2a8
Opcode Fuzzy Hash: a58688428f20d6645818598147587777666f0d2b4a206942fd71469bffc7d844
Instruction Fuzzy Hash: 9CD05BB550131477EB30A6959E4DFC73A6CD704650F0001517695D6085DAF59544CFD4

Function 0100D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0100D220

Strings

%.3d, xrefs: 0100D22B
X64, xrefs: 0100D2A8

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: efb62a7dd21a068c45ee7d5b603f3d386e082badc266c822c0e949d67702988d
Instruction ID: 8fa0ba30031847b6db04aec83a676cea4166f6851784b9e85f6344b870f29331
Opcode Fuzzy Hash: efb62a7dd21a068c45ee7d5b603f3d386e082badc266c822c0e949d67702988d
Instruction Fuzzy Hash: D2D05BB1C09119FADB5196D0CE4ADBDF37CFB68351F408466F98AD1080D738D5085B71

Function 01042322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0104232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0104233F

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Strings

Shell_TrayWnd, xrefs: 01042325

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9b89e946361f00e9ed57cf40ddaa3692c2cace36a57f856ed14207c38e74be1e
Instruction ID: 32397795d8b04a2d4ceec68485634b9bd868795e219de6bb996c7f3e34e506ef
Opcode Fuzzy Hash: 9b89e946361f00e9ed57cf40ddaa3692c2cace36a57f856ed14207c38e74be1e
Instruction Fuzzy Hash: 01D0A9BA791300B7F274A331DE4FFCABA14AB00B00F0049067786AA1C8C8B9A800CB44

Function 01042356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0104236C
PostMessageW.USER32(00000000), ref: 01042373

Part of subcall function 0101E97B: Sleep.KERNEL32 ref: 0101E9F3

Strings

Shell_TrayWnd, xrefs: 01042365

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eaa84d3d3a54044390a9704d3e21a2367a95b37ee712433847bc2d64939fece7
Instruction ID: 52b95bf0cd67160952cc00ef6553e13e915023421d384ee07c6b4cea5d83917c
Opcode Fuzzy Hash: eaa84d3d3a54044390a9704d3e21a2367a95b37ee712433847bc2d64939fece7
Instruction Fuzzy Hash: F1D0A9B67823007BF274A331DE4FFCAB614AB04B00F0049067782AA1C8C8B9A800CB48

Function 00FEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FEBE93
GetLastError.KERNEL32 ref: 00FEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FEBEFC

Memory Dump Source

Source File: 00000000.00000002.1856381544.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1856368416.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.000000000104C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856469261.0000000001072000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856505597.000000000107C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856519581.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_ungziped_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 61d1cfbf43deb0224a729a8e4f0e90667d902f60060b95a83d566d8598b627ec
Instruction ID: 1ad55863ff90c7544acc9e5a208685640173b75b358b662453ef17f24cb3da64
Opcode Fuzzy Hash: 61d1cfbf43deb0224a729a8e4f0e90667d902f60060b95a83d566d8598b627ec
Instruction Fuzzy Hash: 6041E835A052C6AFDF218FA6CC44BBB7BA5EF41320F144169F959972A1DB318D00EB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ungziped_file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\horrify

C:\Users\user\AppData\Local\asset\proximobuccal.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proximobuccal.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
ungziped_file.exe

Function 00FB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00FB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00FF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00FB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00FF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00FB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00FB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01651350 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 00FB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01652E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140
fileCOMMON

Function 00FB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre